After upgrading to 5.0 I used the Admin certificate tool to generate new certificates for my zimbra install. This worked fine for everything except the admin service its self on 7071. It continued to use the existing expired certificate. Digging around the Jetty configuration I found that the keystore that Jetty was using had two certs in it, the old one with the alias 'tomcat' and the new one with the alias 'jetty'. It looks like the jetty server is just taking the first cert in the chain. The solution is to delete the old tomcat certificate out of the keystore
first cd into the jetty dir
list the certs to see if the old tomcat is there, password is zimbra
if it is delete it, password is zimbra
/opt/zimbra/java/jre/bin/keytool -list -v -keystore ./keystore
then restart the service to use the right cert.
/opt/zimbra/java/jre/bin/keytool -delete -v -keystore ./keystore -alias tomcat
Hope this helps