SSL Certs

[ekmeek]

We're having a little trouble understanding what we need certificate-wise for our installation, so if someone could enlighten us to what they did we would appreciate it. We're going to be purchasing commercial certificates.

We have installed the Network Edition of Zimbra. We have 2 Proxies/MTA's, 2 LDAP's, and 2 Mail Stores. We also have 2 load balancers directing traffic to the MTA's proxy servers.

We're going to be using multiple domain names (smtp.ourdomain.com, imap.ourdomain.com, pop.ourdomain.com, etc) until we complete migration and then we'll start pointing our normal domain (mail.ourdomain.com) to the new Zimbra install.

Do we need to purchase one or multiple certificates, and do they get installed on all Zimbra servers, or just the Proxies/MTA's or the mail stores? Would we need to also install on the load balancers (probably a question for them)?

Any guidance appreciated.

Thanks,

Eric

[ewilen]

(Very) partial answer: currently you can only install one cert per Zimbra server. I assume only one per ZCS. So if you want to have multiple domains with SSL, you need to use a UCC cert. There's a bugzilla RFE to allow multiple certs.

Some load balancers such as Brocade (formerly Foundry) ServerIron offer an SSL termination mode where (as the name says) SSL terminates on the balancer and then traffic is handled in the clear from there to the server. Probably not relevant to your case but it's worth noting as a caveat and/or possible workaround.