Zimbra makes it almost seamless when it comes to installing some default certificates to getting SSL-based IMAP and SMTP working. I was hoping to take it a step further. I've read the wiki page on Commercial Certificates, but after following the directions, I got myself in a mess (big surprise). Luckily I had backed everything up prior to messing around.

What I'm trying to do is create and install the necessary certificate(s) into Zimbra manually. I run my own internal Certificate Authority (via OS X Certificate Assistant) and generate certificates for all my internal services (e.g., email, web, jabber, etc). But I'm fairly certain I'm confused at this point on how many I need to create and how to properly import them into all the right places.

Essentially, at least at this point, I've created and signed a certificate for 'myhost.mydomain.com'. My options for exporting from Apple's Certificate Assistant are as follows:

1) Export certificate and private key to .p12 format
2) Export certificate in .cer or .pem and export private key in .p12 format

If needed, I can convert the .p12 private key file converted to .pem.

At this point, I'm stuck. If anyone can help, I have a few questions that might assist me in getting further along than I did last night.

1) How many certificates/keys does Zimbra use to make everything work. Keep in mind I need ssl for https, imap, and smtp.

2) What is the role of the keystore in /opt/zimbra/tomcat/conf/keystore?

3) Is there anyway to leverage the zminstallcert script to automagically install my own custom certs and make the right things happen?

4) Are there a better set of instruction someone can give me to help solve this issue?

Thanks in advance for any help on this!

As food for thought in a future version of Zimbra, it would be awesome if there was a screen within the Zimbra administration interface that allowed you to paste the private key and public key contents and have that import everything into the right places. Openfire (previously Wildfire) has this functionality in its hidden import-certificate.jsp page. More details here.