If you are using Zimbra as your email server, you may have encountered the problem of having an expired self-signed certificate. This can cause security warnings and prevent some clients from connecting to your server. In this blog post, we will show you how to renew your self-signed certificate in Zimbra using the command line interface (CLI).
However, if you are using a self-signed certificate for your Zimbra server, you need to be aware that it has an expiration date. By default, Zimbra generates a self-signed certificate that is valid for 365 days. As far i know, Zimbra version 8.x default install certificate valid until 5 years. When it expires, you will see errors like this in your logs:
zmmailboxd.out:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
To avoid these errors and ensure your server’s security, you need to renew your self-signed certificate before it expires.
Step By Step Renew Expired Self-Signed Certificate
Here are the steps to do so:
- Log in to your Zimbra server as root or sudo user.
- Switch to the zimbra user by running the command:
sudo su - zimbra
- Generate a new certificate authority (CA)
This step is optional and not required every time you renew your self-signed certificate. However, it is recommended to do so periodically to refresh your CA’s validity and security.
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
4. Generate a new certificate signed by the CA that expires in 3650 days (alias 10 year) or any number of days you prefer. generally best practice to renew certificates on a regular basis (e.g. every 1-3 years) for security reasons. However, if you still want to renew a self-signed certificate in Zimbra for 10 years, you can follow the steps below.
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
- Deploy the new certificate to your server:
/opt/zimbra/bin/zmcertmgr deploycrt self
Copy the new certificate and key files to the appropriate locations and update the configuration files accordingly.
- Verify that the new certificate has been deployed correctly by running the command:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Display information about the deployed certificate such as its subject, issuer, validity dates, and subject alternative name.
- Restart your Zimbra services by running the command:
zmcontrol restart
Stop and start all the Zimbra services and load the new certificate.
Testing After Renewal
After all steps done, testing sending mail or access webmail via browser.
Conclusion
That’s it! We have successfully renewal your self-signed certificate in Zimbra. Next check server’s status by accessing the administration console or sending a test email.
We hope this blog post was helpful for you. If you have any questions or feedback, please leave a comment below.