Zimbra SSL Renewal – Trustwave

EDIT – May 7, 2017 – this post has been updated with different versions of Zimbra.

Release 8.7.0_GA_1659.RHEL6_64_20160628192545 RHEL6_64 FOSS edition.

For this SSL installation I used the file mydomain.com.cer from the zip file sent from Trustwave.  I then downloaded https://ssl.trustwave.com/support/certificates/stca.crt and added it to the file chain.cer from the Trustwave zip file.  (Just open a text editor and combine the two files.)  I saved the new file as combined.cer.

Then, on the Zimbra admin GUI, using the certificate installation wizard, I took the mydomain.com.cer in the first box, and the combined.cer in the second box.  The installer happily ate the file and the certificate is installed.


Release 8.0.9_GA_6191.RHEL6_64_20141103151557 RHEL6_64 FOSS edition

My SSL certificate for mail.rapidemail.net expired today.  I’d renewed it about 2 weeks ago, just hadn’t placed the certificate yet because I couldn’t get Zimbra to eat it.

After some Google searching, I found the solution.

I ended up using the Zimbra Web Admin console and just using the wizard to install the certificate, which was nice.  I used the certificate file issued by Trustwave (DV version) for the certificate itself.  Included in the zip file from Trustwave was a file called chain.cer, which was the same as their ROOT certificate.  I thought it was the intermediate CA cert at first, which is what threw me off.

Unfortunately, I still needed to have that intermediate CA to make it all fly.  I found on a forum that the certificate located at https://ssl.trustwave.com/support/certificates/stca.crt was the missing component.

So, in summary……

mail.rapidemail.net.cer = first certificate in wizard

chain.cer = second certificate in wizard (root)

stca.crt = third certificate in wizard (intermediate CA)

Once I did it in that manner, the wizard accepted everything, and told me I had to restart Zimbra, which I did.  All is now well in certificate land, except for that OpenSRS/Trustwave boned me for about 10 days of renewal period, making my new expiration date the same as the date I issued the renewal instead of the original expiration date!

Posted in Technology.