How to create new CA on Zimbra 5.0 .

After I started my Zimbra server, I had alerte from my server. It told me about my CA was mismatch with my domain. This is example alert :

If you want to create new CA for your Zimbra server , you can follow these steps :


[aoddy@zimbra ~]# su –
[root@zimbra ~]# rm -rf /opt/zimbra/ssl
[root@zimbra ~]# mkdir /opt/zimbra/ssl
[root@zimbra ~]# chown zimbra:zimbra /opt/zimbra/ssl

Change user to zimbra account

[root@zimbra ~]# su – zimbra
[zimbra@uranus ~]$ keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
[zimbra@uranus ~]$ keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra
keytool error: Keystore was tampered with, or password was incorrect
[zimbra@uranus ~]$ zmlocalconfig -s -m nokey mailboxd_keystore_password

Edit some details in file /opt/zimbra/conf/

countryName_default = TH
stateOrProvinceName = Bangkok
localityName = Thailand
0.organizationName = Aoddy
organizationalUnitName = Aoddy
commonName = #(eg, your name or your server\’s hostname)
commonName_default =

Create new CA.

[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done.

Deploy new CA

[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving CA in ldap…done.
** Copying CA to /opt/zimbra/conf/ca…done.

Create certificate by self

[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createcsr self -new ‘/C=TH/ST=Bangkok/L=Thailand/O=Aoddy/’
** Generating a server csr for download self -new /C=TH/ST=Bangkok/L=Thailand/O=Aoddy/
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226155943
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.

Deploy new certificate .

[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226160014
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing mta certificate and key…done.
** Installing slapd certificate and key…done.
** Installing proxy certificate and key…done.
** Installing CA to /opt/zimbra/conf/ca…done.

Check new certificate .

[root@uranus ~]# /opt/zimbra/bin/zmcertmgr viewcsr self

Perfect !! 😀

0 0 vote
Article Rating
Inline Feedbacks
View all comments
11 years ago

Help me!!!

root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.

11 years ago
Reply to  Oh


Thanks for your excellent post. May can you help us ?

We use a 6.0 zimbra open source edition on a suse linux
We need to generate new certificate and we follow your proc even if it was for 5.0.
Everything seems good but we have the following :

mailbox Stopped
zmmailboxdctl is not running.

and a zmprov give :

[] INFO: I/O exception ( caught when processing request: Connection refused
[] INFO: Retrying request
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: Connection refused)

Have you any idea ?

Best regards