Here is what worked for me:
Using RHEL 5, Zimbra 6.0.1 NE, Godaddy Cert
Generate CSR with 2048 bit key, run the following as root
prompt# /opt/zimbra/bin/zmcertmgr createcsr comm -keysize 2048 -new "/C=Country/ST=State/L=City/O=XXX/OU=XXX/CN=xxx.xxx.com" -subjectAltNames "xxx.xxx.com"
The CSR can be found here
/opt/zimbra/ssl/zimbra/commercial/commercial.csr
Get certificate from Godaddy; download the one for tomcat. You will also need to download gd-class2-root.crt from Godaddy's site (
https://certs.godaddy.com/anonymous/repository.seam). When you donwload the tomcat certificate, you get a .zip file with four files
xxx.xxx.com.crt
gd_intermediate.crt
gd_cross_intermediate.crt
gd_bundle.crt
You will need
xxx.xxx.com.crt,
gd_bundle.crt, and
gd-class2-root.crt.
Use the Zimbra admin console to install the commercially signed certificates.
Signed Certificate: xxx.xxx.com.crt
Root Certificate: gd-class2-root.crt
Intermediate Certificate: gd_bundle.crt
Now here is the kicker (at least for 6.0.1), when you restart Zimbra, the ldap server will fail to start
zimbra$ zmstatus start
Host xxx.xxx.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
You will get an error message in
/var/log/zimbra.log Oct 20 04:08:13 test zimbramon[30888]: 30888:info: zmmtaconfig: gs:xxx.xxx.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
To remedy this, run the following as root
prompt# /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem
Zimbra should now start with the certificate installed.