Hi ALL,

I just want to know how to create Multi-Node Self-Signed Certificate since I have 3 servers.

mta1 where ldap1 is installed
mta2 where ldap replica is installed
mailbox server

I use zimbra 7.2 64 bit. After installing I did below commands to get Multi-Node Self-Signed Certificates.

Multi-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

/opt/zimbra/bin/zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.

/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"

3. Next, deploy the certificate to all nodes in the deployment.

/opt/zimbra/bin/zmcertmgr deploycrt self -allserver

4. To finish, verify the certificate was deployed.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt


source - Administration Console and CLI Certificate Tools - Zimbra :: Wiki

But, I can't get 3 servers running after restarting zimbra (zmcontrol restart). It says unable to determine enabled services from ldap.

Now, I can't start mta1 server with zmcontrol start . It always says

unable to determine enabled services from ldap. Enabled serives read from cache. Service list may be inaccurate

I ran all the above commands on mta1 server since primary ldap is running there?

Should I run those commands on all 3 servers?



another URL is here

How to re-create self-signed certificate in a multiserver platform? - Zimbra :: Wiki

a little bit different there.


Now, I think whatever to do. We will have to start primary ldap server ( in my case mta1) first.

So should I issue a SINGLE NODE self signed certificate in this way.


Single-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

/opt/zimbra/bin/zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days.

/opt/zimbra/bin/zmcertmgr createcrt -new -days 365

3. Next deploy the certificate.

/opt/zimbra/bin/zmcertmgr deploycrt self

4. Next deploy the CA.

/opt/zimbra/bin/zmcertmgr deployca

5. To finish, verify the certificate was deployed to all the services.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt


source - Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Hope to hear from you. Really waiing fro your reply.