EDIT – May 7, 2017 – this post has been updated with different versions of Zimbra.
Release 8.7.0_GA_1659.RHEL6_64_20160628192545 RHEL6_64 FOSS edition.
For this SSL installation I used the file mydomain.com.cer from the zip file sent from Trustwave. I then downloaded https://ssl.trustwave.com/support/certificates/stca.crt and added it to the file chain.cer from the Trustwave zip file. (Just open a text editor and combine the two files.) I saved the new file as combined.cer.
Then, on the Zimbra admin GUI, using the certificate installation wizard, I took the mydomain.com.cer in the first box, and the combined.cer in the second box. The installer happily ate the file and the certificate is installed.
Release 8.0.9_GA_6191.RHEL6_64_20141103151557 RHEL6_64 FOSS edition
My SSL certificate for mail.rapidemail.net expired today. I’d renewed it about 2 weeks ago, just hadn’t placed the certificate yet because I couldn’t get Zimbra to eat it.
After some Google searching, I found the solution.
I ended up using the Zimbra Web Admin console and just using the wizard to install the certificate, which was nice. I used the certificate file issued by Trustwave (DV version) for the certificate itself. Included in the zip file from Trustwave was a file called chain.cer, which was the same as their ROOT certificate. I thought it was the intermediate CA cert at first, which is what threw me off.
Unfortunately, I still needed to have that intermediate CA to make it all fly. I found on a forum that the certificate located at https://ssl.trustwave.com/support/certificates/stca.crt was the missing component.
So, in summary……
mail.rapidemail.net.cer = first certificate in wizard
chain.cer = second certificate in wizard (root)
stca.crt = third certificate in wizard (intermediate CA)
Once I did it in that manner, the wizard accepted everything, and told me I had to restart Zimbra, which I did. All is now well in certificate land, except for that OpenSRS/Trustwave boned me for about 10 days of renewal period, making my new expiration date the same as the date I issued the renewal instead of the original expiration date!