There are two possible ways to generate a CSR on a Zimbra mail server: in the Zimbra Admin WebApp, or using the Zimbra command line interface.
Note: Zimbra supports only one CSR and private key file. Generating a new CSR will replace the previous CSR and private key files.
CSR generation in the Zimbra Admin Console
By default the Zimbra Administration web interface can be accessed via the following URL:
- yourdomain.com is the Zimbra server hostname, usually assigned during the initial Zimbra setup.
Log into the Administration Console with your admin credentials (the default admin username is email@example.com) and follow these steps:
1. Click “Configure” in the menu list on the left:
2. Click “Certificates” in the left pane, then click the gear icon on the top right and select “Install Certificate”:
3. Select the needed servername from the drop-down menu and click “Next”:
4. Select “Generate the CSR for the commercial certificate authorizer” and click “Next”:
5. Fill in the details as follows:
- Key Length: the length of private and public keys. The current industry standard is 2048 bits.
- Common Name: the domain that is your server hostname (yourdomain.com). The “Use Wildcard Common Name” option should be used only if you have a wildcard certificate.In this case, the Common Name should be specified in the following format: *.example.com.
- Country Name: the country should be entered as a two-letter ISO 3166-1 -compliant country code. The list of country codes can be checked here: https://countrycode.org/
- State/Province: state, province or region; you can enter the city if this field is not applicable for your country.
- City: your city.
- Organization Name: company name; for Domain Validation certificates, you can simply enter “NA” as DV certificates do not include company details.
- Organization Unit: company department; you can enter “NA” as this field is not included into certificates.
- Subject Alternative Names: SANs may be specified only if you have a multi-domain certificate. For other certificates, please leave this field empty.
6. Once all fields are filled, click “Next” to continue:
7. Click “Download the CSR” and save the CSR file. To proceed with the certificate activation in your SSLs.com account, open the CSR file with any text editor (e.g., Notepad or TextEdit) and copy-paste the entire content into the CSR submission box.
Note: Before submitting the CSR in your account, we recommend checking it for possible issues with this online tool: https://decoder.link/
CSR generation using Zimbra Certificate CLI
You can use the zmcertmgr command line tool to generate a CSR and manage certificates. To do it, you will need SSH access to the server. To use this tool, log in as root for Zimbra version prior to 8.7, or as the zimbra user for versions 8.7 and higher. To switch to the zimbra user, you can run this command (you need to be logged in as root — you can run sudo su to switch to root):
su - zimbra
The default location of the zmcertmgr tool is /opt/zimbra/bin/zmcertmgr. To generate a CSR, run the following command:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=CC/ST=State/L=City/O=Company/OU=NA/CN=yourdomain.com" -noDefaultSubjectAltName
Replace the highlighted values as follows:
- C= Country, should be specified as a two-letter ISO 3166-1-compliant country code. The list of country codes can be checked here: https://countrycode.org/
- ST= State or province; enter the city if not applicable
- L= Locality (city)
- O= Organization (company name); you can enter “NA” if this field is not applicable
- OU= Organization Unit (company name); you can enter “NA” if this field is not applicable
- CN= Common Name (domain that is your server hostname). If you have a wildcard certificate, enter the Common Name in this format: *.yourdomain.com.
Here is an example command for reference: /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=California/L=Los Angeles/O=MyCompany Inc/OU=NA/CN=server.mydomain.com" -noDefaultSubjectAltName
The output will look like this:
If you need to generate a CSR with multiple domains to activate a multi-domain certificate, you can adjust the command to include SANs in the following way:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=CC/ST=State/L=City/O=Company/OU=NA/CN=yourdomain.com" -subjectAltNames “subdomain.yourdomain.com,otherdomain.com”
Additional domains should be typed in instead of subdomain.yourdomain.com and otherdomain.com.
The CSR will be saved into this file: /opt/zimbra/ssl/zimbra/commercial/commercial.csr.
You can open the file with a text editor like Nano, or run this command to print it to console:
To proceed with certificate activation, copy the entire output including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----, and paste it into the CSR box in your SSLs.com account.
Before submitting the CSR in your account, we recommend checking it for possible issues with this online tool: https://decoder.link/
Note: The corresponding private key will be saved in the same directory as /opt/zimbra/ssl/zimbra/commercial/commercial.key. The key will be required for certificate installation on Zimbra.
More details on the zmcertmgr tool usage can be found on the Zimbra Wiki: https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#ZCS_Certificate_CLI