I wanted to post a quick note for anyone using DigiCert Wildcard certs on Zimbra 5. If you issue a cert that is expiring after Jan 2011 you will want to read this quick tip. This may save you some time.

Normally, DigiCert issues a package with the star_domain_ext.p7b, star_domain_ext.crt, along with the TrustedCA and intermediate DigiCertCA.

I was reinstalling my certificate from command line and running into the following error:

[root@zagnut commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
XXXXX ERROR: Invalid Certificate: commercial.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
error 2 at 1 depth lookup:unable to get issuer certificate

After quite some time trying to figure out what was different than a year ago, I found this SSL Certificate Troubleshooting - Trusted Certificate Authority Error and at the bottom it discusses an issue with IE7 Firefox 3 and the DigiCert High Assurance CA-3.

There is a link in this note to a file (NOT INCLUDED IN THE PACKAGE) that you will also need, called DigiCertBridge.crt. By combining this file, the DigiCertCA and TrustedCA into commercial_ca.crt you can fix the above issue and install your new cert with ease.

Hope this helps someone out.