1) don't use Ajcody's cli recipe for cacert. It's not for zimbra 6 and will always leave a system broken and having to have certs wiped and a new self signed one installed.
Ajcody-Notes-SSLCerts - Zimbra :: Wiki
2) use cacert's cacert-bundle, not just their root cert.
attachment:cacert-boundle.crt of FAQ - CAcert Wiki
and the cert will install from the gui. don't use an intermediate
I got it to install from the gui but still had a broken system afterwards.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.
next I'm going to try to 'install all servers', not just myname.us.
Or am I wasting my time? Are signed certs broken in the GA 6.x release?