I have set up a test environment of a multi-server Zimbra, looking like this:

Zimbra 8.0.0/Open Source, CentOS 6.3

1 x LDAP
2 x MTA/Proxy
2 x Mail store

One DNS-alias resolving to the two ip-adresses of the MTA/Proxy-machines (ie DNS round-robin). The name is mail.example.com and this name is to be used by end-users.

Everything was working as expected until I tried to install a Commercial Certificate...

I followed this wiki: Administration Console and CLI Certificate Tools - Zimbra :: Wiki
(and my own notes of previous, successful installations in 7.x/NE/single-server).

The wiki do not show the procedure for Multi-server + Commercial cert but I did like this:

Code:
# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject '/C=COM/ST=Example/L=Someware/O=Some Site/OU=IT/CN=mail.example.com' -subjectAltNames 'z-ldap1.example.com, z-gw.1.exampl.com, ...' (all server names as AltNames)

# openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr (Looking good. Got it signed.)
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/SSL/cert.crt /root/SSL/chain.crt (Looking good. After signing.)

# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
The last step started the installation on all machines in the system, but failed big time... se below:

Did I guess wrong on how to do this for multi-server + comm cert?

I ran this on one of the mail-stores (the wiki do not specify this). Was this correct?

Output:
Code:
# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
** Verifying /root/SSL/mail.example.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/SSL/mail.example.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/SSL/mail.example.com.crt: OK
** Copying /root/SSL/mail.example.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/SSL/chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving global config key zimbraSSLCertificate...done.
** Saving global config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Warning: Permanently added 'z-gw-1.example.com,192.168.18.188' (RSA) to the list of known hosts.
STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-gw-2.example.com,192.168.18.189' (RSA) to the list of known hosts.
STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-ldap1.example.com,192.168.18.187' (RSA) to the list of known hosts.
STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-store2.example.com,192.168.18.186' (RSA) to the list of known hosts.
STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm