- - - By CrazyStat - - -

11. September 2012

Zimbra: Setting up a free (real) “commercial” SSL certificate

Filed under: Linux,Security,Server Administration — Tags: , , , , , — Christopher Kramer @ 20:40

I recently wrote about how to configure a new self-signed certificate for Zimbra.

Today I want to explain you how you can do even better and setup a real SSL certificate by Startcom which will make those annoying browser warning messages go away 😉 And the best: It is all for free, thanks to Startcom! It is also important to have a real SSL-certificate for use with most smartphones.

Please note that you have to respect Startcom’s certificate policy, which might require a non-free class 2 certificate for your commercial use. See the policy for details. Thanks to Thomas for this remark. With “commercial” certificate, I here mean a “real” CA-signed certificate, which Zimbra calls “commercial”, no matter whether used in a commercial context or not.

First, create a Certificate Request (CSR) in Zimbra. To do so, ssh into your server, login as root and issue a command like this:

/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -digest sha256
-subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite/"

This is one line. What is important here, is that you use the domain name for which the certificate should be issued at the end (instead of Startcom will ignore everything else anyway, so you can leave country, state, organization and so on as is or change it, doesn’t matter. What is also important is that you define a keysize of 2048 as Startcom won’t accept 1024 bit keys anymore. This parameter is not documented in the wiki yet, and seems to be available for newer versions of Zimbra only. With a little trick, it should also be also possible for older versions of zimbra such as 5 (but better update to the new version anyway…).

Next thing you do is register at startcom if you do not have an account yet. You’ll get an S/MIME certificate by Startcom for free which you need to login to their control panel. Your browser will generate the secret certificate and store it in its internal storage. I’d recommend you to backup this certificate – you will not be able to login into your startcom account if you loose it.

Then at startcom, you use the validation wizard to validate your domain. This will send a mail to postmaster/hostmaster/ (you can choose which one) with being your domain. So you need access to one of these mailboxes to prove that you own the domain.

Then use the certificate wizard at Startcom to create a new certificate. Skip the certificate creation step! Instead, past the CSR created by Zimbra ( /opt/zimbra/ssl/zimbra/commercial/commercial.csr ) into the webform. (Better always create private certificates yourself, never use certificate generators by somebody else, not even the CA.)

Once the certificate is created by Startcom (usually takes some minutes), install it as described in the zimbra wiki:

  1. Store the new (public) certificate you get from Startcom somewhere (e.g. /root/commercial.crt )
  2. Download the root CA certificate
    wget -O /root/ca.pem
  3. Download the intermediary certificate from startcom
    # If your certificate is class 1:
    wget -O /root/ca_intermediary.crt
    # If your certificate is class 2:
    wget -O /root/ca_intermediary.crt
  4. Combine them:
    cat /root/ca_intermediary.crt /root/ca.crt > /root/ca_chain.crt
  5. Verify your certificate:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/commercial.crt /root/ca_chain.crt
  6. Deploy your certificate:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /root/commercial.crt /root/ca_chain.crt
  7. Check:
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  8. Restart Zimbra
    su – zimbra
    zmcontrol stop
    zmcontrol start

I hope this post was useful so some of you. If you have problems with one of the steps, just ask in the comments.

Read here how to redirect http to https to enforce the use of https.


Try my Open Source PHP visitor analytics script CrazyStat.


  1. Good information about free certificates. After a year do you have to pay to renew the certificates or they keep free?

    Comment by ariel — 30. October 2012 @ 15:22

  2. @ ariel:

    No, you don’t need to pay for a new certificate. You’ll only need to request a new certificate every year. They even remind you by mail to do it 😉
    If you buy an ssl certificate somewhere else, you usually need to request a new one at least every two years, so the difference is not that significant in that regard.

    Of course you can get “better” certificates for money. For example wildcard certificates or class 2 verification. But for lots of usages, the startcom certificates are enough I’d say. At least in all cases where self-signed ones are used at the moment…

    Comment by Christopher K. — 3. November 2012 @ 00:22

  3. According to startCom’s “Certificate Policy & Practice Statements”:

    Class 1 certificates are limited to client and server
    certificates, whereas the later is restricted in its usage for
    non-commercial purpose only.

    Hence, your post title seems inaccurate.

    Comment by Thomas — 20. January 2013 @ 17:19

  4. @Thomas: Thanks for the remark. Zimbra calls any non-self-signed certificate “commercial”, therefore, startcom’s certificates are “commercial” in the way Zimbra calls these things.

    In fact this does not mean that Startcom’s certificates can be commercially used for any purpose. Of course you need to respect their policies. Maybe I should clarify the article.

    Comment by Christopher K. — 20. January 2013 @ 17:37

  5. Hi,

    Here is a step-by-step walkthrough to get a free SSL certificate with StartSSL:

    Maybe it can help as their website is not the most friendly user. 😉

    Comment by Ilario — 17. March 2013 @ 10:50

  6. Very Thanks!!!!

    Comment by hossein Kouhsari — 12. April 2016 @ 12:43

  7. Hi Please guide me how can i install godady ssl certificate in zimbra 8.6 open source server..

    Comment by Raj Dogra — 29. December 2016 @ 18:53

RSS feed for comments on this post. TrackBack URL

Leave a comment

%d bloggers like this: