Certificate Signing Request (CSR) Generation Instructions for Zimbra 5.0.x, 6.0.x, & 7.0.x

Apr 20, 2023
Here are detailed instructions on how to generate a CSR for Zimbra 5.0.x, 6.0.x, and 7.0.x using the command line interface:

Method 1: Generate CSR using the command line interface:
  1. Log in to the Zimbra server as the " zimbra " user.
  2. Switch to the Zimbra SSL directory by running the command " cd /opt/zimbra/ssl/zimbra ".
  3. Run the command " openssl req -new -newkey rsa:2048 -nodes -keyout zimbra.key -out zimbra.csr " to generate the private key and CSR.
  4. Fill in the information prompted by the command, including the common name (i.e., the fully qualified domain name of the Zimbra server), organizational unit , organization , city , state , and country .
  5. Press enter to skip the " challenge password " and " optional company name " fields.
  6. The private key and CSR files will be generated in the " zimbra " directory. The CSR file will be named " zimbra.csr " and the private key will be named " zimbra .key ".
  7. Submit the CSR file to the certificate authority for signing.
  8. Once you receive the signed certificate, run the command " openssl pkcs12 -export -in zimbra.crt -inkey zimbra.key -out zimbra.p12 " to create a PKCS12 formatted certificate.
  9. Run the command " keytool -importkeystore -srckeystore zimbra.p12 -srcstoretype PKCS12 -destkeystore /opt/zimbra/java/jre/lib/security/cacerts -deststoretype JKS " to import the certificate into the Zimbra keystore .
  10. Restart the Zimbra services for the changes to take effect.

Note: Make sure to keep the private key safe, don't share it or lost it.

Method 2:  To generate a CSR through the Zimbra admin console for versions 5.0.X, 6.0.X, and 7.0.X, you will need to follow these steps:
  1. Log in to the Zimbra admin console as an administrator.
  2. Navigate to the " Configure " section and click on " Certificates ."
  3. In the " Certificate Signing Requests " section, click on " New ."
  4. Fill in the required information, such as the domain name and the organization name , and select the appropriate key size.
  5. Click on " Create " to generate the CSR.
  6. Once the CSR is generated, you will need to copy the contents of the CSR and submit it to your certificate authority (CA) for signing.
  7. After the CA has signed your CSR, you will need to download the signed certificate and the intermediate certificate(s) from the CA.
  8. In the main menu, click Configure.

  1. Select Certificates. Then, click the gear icon on the top right (next to Help) and select Install Certificate.

  1. Select the target server to generate the SSL files like the CSR and the private key:

  1. In the next step, select the option Generate the CSR for the commercial certificate authorizer

  1. In this window, you need to select the next settings:
    1. Select digest SHA256 or above, not SHA1 as is not longer considered to be secure
    1. Key Length 2048 or above
    1. Common Name (CN) needs to be the FQDN that you want to use, if you are using a Single-Server is recommended that the FQDN and the hostname are the same.
    1. The checkbox about the Wildcard is if you want to use a Wildcard SSL certificate for your Zimbra, and for the rest of you other FQDN in your Company. If the hostname and the FQDN doesn't match, but are in the same domain, use this option and buy a Wildcard Certificate.
    1. In the Subject Alternative Name (SAN), you can select another names if you will use a Multi-SAN SSL certificate, this option is indicated if you want to have mail.customer1.com, mail.customer2.com, etc.
  1. You can download now the CSR file, ready to send to your SSL Certificate Provider, if you miss this step, you can find the csr file in the next path /opt/zimbra/ssl/zimbra/commercial/commercial.csr

Have any Questions


If you have any questions, feel free to call us