Hi everyone,

I have a quite strange problem with SSL certs here ... I try to install a commercial cert with an intermediate cert which already works in apache2. I copied my key to /opt/zimbra/ssl/zimbra/commercial/commercial.key and tried to test (or deploy) the cert given by PositiveSSL. I have three files there:
  • mycert.crt: The cert file
  • mycert.chain: The root cert + the intermediate cert
  • mycert.complete: The root cert + the intermediate cert + the cert

The cert files seem to be okay:
openssl verify -CAfile mycert.chain
mycert.chain: OK
openssl verify -CAfile mycert.complete
mycert.complete: OK
It also matches agains the private key. But: it seems to have problems to follow the chain:

/opt/zimbra/bin/zmcertmgr deploycrt comm mycert.crt mycert.chain 
** Verifying mycdert.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (mycert.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: mycert.de.crt: XXXXXXXXXXXXXXXX
error 2 at 2 depth lookup:unable to get issuer certificate
It seems to ignore the chain file somehow. It does also not work with these commands:
/opt/zimbra/bin/zmcertmgr deploycrt comm mycert.crt mycert.complete
/opt/zimbra/bin/zmcertmgr deploycrt comm mycert.complete
I have no more ideas what to do - especially because openssl verify says everything is okay. Can you help me? Thanks!

My system btw:
- ubuntu 10.04
- zimbra 6.0.9 open source edition