Hi, I've just slogged through a new install, trying to manually install a certificate after the install, and wanted to at least voice a couple helpful tips briefly others might find useful.
-You're gonna want to get pretty familiar with the openssl utils. If you don't feel comfortable using it to find fingerprints, or to convert certificates, or to verify what file is what, things are probably going to be impossible.
-My starting place was Commercial Certificates - Zimbra :: Wiki . This link largely had all the info I needed to get everything sorted out, but it is kind of scattered and sometimes misses some steps.
-Continuing with the above wiki link, the initial walkthrough got my webmail site using the commercial certificate just fine, but according to the instructions did not install the certificate for use with secure imap or ssl over pop3/smtp.
-The walkthrough continues with some instructions to get the rest of your services using your certificate, which bombed my install. The web interface would come up, but it seemed like none of the internals worked, mail could not be sent. This is where this bug report saved the day: Bug 23294 - commercial certs fail to install . The brief overview is there are ~/conf/ldap-*.cf files that reference the right ssl certificate to use that need to be accomodated for, if you do not fix it, the ldap service does not work. In my case I followed the method described by Ryan in the bug comments, and moved my key, certificate, intermediate ca certificate and root ca certificate into the directory the ~/conf/ldap-*.cf files were looking; ran the c_rehash ./ in that directory after changing the certificate file's extensions to .pem; then altering the root ca's certificate file to say "BEGIN TRUSTED CERTIFICATE" instead of "BEGIN CERTIFICATE".
Hopefully this might be useful to someone out there.