I ignored Point 4. mailboxd refused to start, everythin else is running. The trick is to set the old mailboxd_keystore_password
zmlocalconfig -e mailboxd_keystore_password=oldpassword
To move /opt/zimbra/mailboxd/etc/keystore away, copy the certificates /opt/zimbra/ssl/zimbra/commercial/* from the old server to the new and deploy them with
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
After that everything started.
I found this much easyer.