Still broken for me with 5.0.1 NE.
Cert works for all purposes except postfix.
strace ldapsearch -Z fails seraching for /opt/zimbra/conf/ca/c33a80d4.0, which does not correspond to the CA hash. I would guess that I somehow got two different keypairs for different services, but openssl s_client -connect mail:443 returns exactly the same cert as /opt/zimbra/conf/slapd.crt.
# /opt/zimbra/bin/zmcertmgr deploycrt comm
** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/ST=Minnesota/L=Northfield/O=Carleton College/OU=Information Te
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.