habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Renew Expired Self-Signed Certificate

1 min read

If you are using Zimbra as your email server, you may have encountered the problem of having an expired self-signed certificate. This can cause security warnings and prevent some clients from connecting to your server. In this blog post, we will show you how to renew your self-signed certificate in Zimbra using the command line interface (CLI).

However, if you are using a self-signed certificate for your Zimbra server, you need to be aware that it has an expiration date. By default, Zimbra generates a self-signed certificate that is valid for 365 days. As far i know, Zimbra version 8.x default install certificate valid until 5 years. When it expires, you will see errors like this in your logs:

zmmailboxd.out:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

To avoid these errors and ensure your server’s security, you need to renew your self-signed certificate before it expires.

Step By Step Renew Expired Self-Signed Certificate

Here are the steps to do so:

  1. Log in to your Zimbra server as root or sudo user.
  2. Switch to the zimbra user by running the command:
sudo su - zimbra
  1. Generate a new certificate authority (CA)

This step is optional and not required every time you renew your self-signed certificate. However, it is recommended to do so periodically to refresh your CA’s validity and security.

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca

4. Generate a new certificate signed by the CA that expires in 3650 days (alias 10 year) or any number of days you prefer. generally best practice to renew certificates on a regular basis (e.g. every 1-3 years) for security reasons. However, if you still want to renew a self-signed certificate in Zimbra for 10 years, you can follow the steps below.

/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
  1. Deploy the new certificate to your server:
/opt/zimbra/bin/zmcertmgr deploycrt self

Copy the new certificate and key files to the appropriate locations and update the configuration files accordingly.

  1. Verify that the new certificate has been deployed correctly by running the command:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Display information about the deployed certificate such as its subject, issuer, validity dates, and subject alternative name.

  1. Restart your Zimbra services by running the command:
zmcontrol restart

Stop and start all the Zimbra services and load the new certificate.

See also  Easy Creating CSR and install SSL certificate Windows Server 2016

Testing After Renewal

After all steps done, testing sending mail or access webmail via browser.


That’s it! We have successfully renewal your self-signed certificate in Zimbra. Next check server’s status by accessing the administration console or sending a test email.

We hope this blog post was helpful for you. If you have any questions or feedback, please leave a comment below.

habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Easy Create Laravel Project with Composer

Requirement Laravel, a popular PHP framework, is renowned for its elegant syntax and robust features, making it a top choice for web developers. One...
1 min read

Virtualbox Change Storage Size

Changing the storage size of a virtual machine in VirtualBox involves a few steps. Here’s a general guide. Backup your Virtual Machine (VM) Before...
35 sec read

Easy Setup Logrotate Nginx Ubuntu

Log rotation is an important aspect of managing log files on a Linux system, including those generated by Nginx. Logrotate is a utility that...
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox