Ok fellows this is how I finally got my certs working on my ms mobile clients and Firefox 2.
Just for background, I was using wildcard and switched to a single cert. I already owned the single cert, paid for it so the cost was already there. You decide what is best for you, but if you are trying to use this to get wildcard to work with Windows Mobile 5 or 6, this is not the place for you.
Take a look at
Commercial Certificate in 5.x - Zimbra :: Wiki
Read it, just to have some background and to loosen up those cobwebs in the mind.
We are going to use the first portion of it to deploy our certs.
When you generate a csr from the web interface - which is what I did, works well and it's easy and I don't know how to do it manually, it places that csr in the /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ a current.csr. It also gives you a link to download it to give to your ca for a cert.
I used digicert. I gave then my csr selected a "Apache" type cert and then went through their process. I got the cert as well as downloaded the root (TrustedRoo.crt) and the intermediate (DigiCertCA.crt).
I returned to my Zimbra admin Interface and selected "Install Certificate" and selected the server and "Install the commercially signed certificate". This errored out, but I wanted to try it anyway.
I can't remember the error, it was either the jetty error or the i/o error, but I'm not going to reproduce it for this doc sorry.
What the web interface did do was place a few files in the proper place.
It copied and cat'd the root and the intermediate and placed them in file in /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ as current_chain.crt the location also recieved a copy of the cert named current.crt.
Also created was files; commercial.crt, commercial.csr, commercial_ca.crt in /opt/zimbra/ssl/zimbra/commercial/.
Ok so thats where the history of the wiki page we read earlier comes into play. You have all probably tried the above steps as I had done. I then turned to the old reliable cli.
I used the Wiki instructions along with the files that had been placed by the admin interface.
This is the only section of the wiki I used!!!!
/opt/zimbra/bin/zmcertmgr
If the Administration Console>Certificates Wizard is not doing the job, we then resort to the command line.
Note: This tool must be run as root.
It requires the following:
* The private key must exist in /opt/zimbra/ssl/zimbra/commercial directory and must be named commercial.key with permission set to 740.
* The server certificate and the chain cert files must exist in a temp directory. E.g. /root/certs (for me this was /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/)
* The server cert must be named commercial.crt.
* The chain cert files must be concatenated into one file called commercial_ca.crt.
* Verify that the cert and the key match using this command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/privatekey /path/to/commercial.crt /path/to/commercial_ca.crt
*****For me this was done with these files and directories:
"/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt"
* From the temp directory, deploy the cert and restart the zimbra services.
This is where I trailed off of the instructions I deployed the cert from the one that was tested above with this command:
"/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt"
(a) sudo zmcertmgr deploycrt comm /path/to/commercial.crt /path/to/commercial_ca.crt
(b) zmcontrol stop ; zmcontrol start
I did do the start and stop.
****** THIS DEPLOYED MY CERTIFICATE, BUT MY MOBILE OS'S STILL FAILED ******
The only thing I could think to do, cause I have done it for a site before, was to append to the end of my server cert the intermediate cert. So I did that.
I appended /opt/zimbra/ssl/zimbra/commercial/commercial.crt with the intermediate.
Looked like this:
-----BEGIN CERTIFICATE-----
MY SERVER CERT
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MY INTERMEDIATE CERT
-----END CERTIFICATE-----
I then reverified my cert:
"/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt"
and redeployed my cert:
"/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt"
and restarted zimbra
zmcontrol stop ; zmcontrol start
and viola - MS Mobile OS Cheers with glee....!
Hope this may help someone.
Bugzilla
Wiki
Source
digicert wildcard cert does work 
Digicert - What makes my MS Mobile OS's happy 
Linear Mode
