Hi List,

This is my Zimbra setup

3 servers

MTA1 ( where Primary ldap is also ruunig )
MTA2 ( wthere Secondary ldap is also running)
Mailbox server

Since Zimbra 7.X ships with one year certificate by default, We installed 10 year certificate with below commands.

Zimbra must be running on all nodes , then,

on mta1 ( wheere primary ldap is ruunig )

1. /opt/zimbra/bin/zmcertmgr createca -new

2. /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"

3. /opt/zimbra/bin/zmcertmgr deploycrt self -allserver

on all 3 nodes

4. /opt/zimbra/bin/zmcertmgr viewdeployedcrt

5. on mta1 ( wheere primary ldap is ruunig )
scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mta2:/opt/zimbra/conf/ca/
scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mailbox:/opt/zimbra/conf/ca/

6. on mta1, mta2 and mailbox

/opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem

5. On ALL nodes

su - zimbra -c 'zmcontrol restart'

Everythig works fine. Now, we need to install a commercial certificate?

I found below URL


I need a little bit help.

According to my zimbra setup having 3 servers ( mailbox.example.com, mta1.example.com and mta2.example.com ), Users want to access webmail ( i.e - https://mailbox.example.com )

For that purpose, How can I begin this ?

firtst, I have to run below command?

zmtlsctl mixed

then, I think first, I have to create a .csr in this way ( since I have 3 servers, I need it in a Wild Card manner )

/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"

It generates 2 files commercial.key and commercial.csr

Am I right?

Should I run this command on all 3 servers or on one server and then copy those commercial.key and commercial.csr to the other 2 servers ? pls answer.

Then, I will have to send this CSR to a SSL provider to buy a commercial.crt

Am I right so far?

then, What else will I have to do?

Hope to hear from you...