I read one Web address about installing SSL certificate at wiki.zimbra.com/index.php?title=SSL_Certificate_Problems referred by Kevin.

This works great for installing self-signed certifcate by following the said instruction:
Clean up SSL Certificate and recreate a new self-signed cert:----
as root:
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl

su - zimbra
(all one line here: )

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
(again, all one line: )
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

zmcertinstall mailbox ssl/ssl/server/tomcat.crt
zmcertinstall mta ssl/ssl/server/server.crt ss/ssl/server/server.key

However, when I did the following instruction as suggested to install a commerical SSL certificate, I experienced errors.
To Install a commerical SSL certificate first remove the self signed cert:
su - zimbra
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

then using your new certificate and key run:
zmcertinstall mailbox ssl/ssl/server/commercial.crt
zmcertinstall mta ssl/ssl/server/commercial.crt ssl/ssl/server/commercial.key

I have 2 questions:
1) An error occurred when I tried to execute " keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra " (without quotes). Why is this command different from the one being used for the self-signed certificate ?

2) The instruction does not tell us how to generate a commerical.csr that is required by a commercial CA. I recall I used openssl to generate a commercial.csr in the past. Now with Zimbra, do we need to run zmcreateca once to get the server.csr to be used for applying a commerical.crt ? (note: I tried to use the server.csr generated by zmcreateca to get a free 1-month certificate at geotrust Web site. When I did the zmcertinstall mailbox ... , it generated an error.) Also, how can I set the password for the private key ?

Please advise.