Multi Domain SSL Certs - HOWTO

Revision as of 18:42, 20 November 2011 by Firemike (talk | contribs)

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0


Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates. So in this document you will learn, howto install this feature in a split-DNS architecture. Nevertheless be careful and test configs before going into production.


For implementing this feature in the correct way, it is very important to understand the logic of this new technic:

alt text


  • For each addondomain you will need a separate public IP !
  • For each addondomain you must have valid SSL-certs.

(A): Preparing Proxy

  • In base-installation-script of ZCS you have to markup installation of proxy-services
  • Then login as zimbra and activate proxy:
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
$ zmproxyctl restart
  • Set proxy-mode for base-domain on proxyserver :
$ zmprov ms zimbraReverseProxyMailMode redirect
  • Set proxy-mode on mailboxserver for intern communications to proxy-server (must be http !)
$ zmtlsctl http 
  • Test this:
$ zmprov gs `zmhostname` | grep -i mode
  • Restart proxy:
$ zmproxyctl restart

(B): Certinstallation

  • Certs have to be installed from root-console.

First check-for/create the following folder:

# mkdir /opt/zimbra/conf/domaincerts
# cd /opt/zimbra/conf/domaincerts

For each domain put your keys into this folder ...

  1. (your private-key)
  2. (commercial.crt + intermediates + root_CA) [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 ]
  5. ..

... and do the following commands:

  • Check the keys:
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./ ./
  • Deploy the certs:
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
  • Save the certs:
# /opt/zimbra/libexec/zmdomaincertmgr savecrt

(C): Virtual IP on proxy

  • Config virtual hostname and virtual IP for every addondomain.

Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!

$ zmprov md +zimbraVirtualHostName +zimbraVirtualIPAddress
$ zmprov md +zimbraVirtualHostName +zimbraVirtualIPAddress
$ zmprov md +zimbraVirtualHostName +zimbraVirtualIPAddress

(D): DNS-Records - Internal Net

  • Config A-records in your local DNS-server    IN  A   (-> IP of your local ZCS should be already there)  IN  A  IN  A

(E): Alias IPs on mailboxserver

  • In ubuntu-systems you have to do:
# vi /etc/network/interfaces
  • Append the following configurations - for example:
auto eth0:1
iface eth0:1 inet static
name Ethernet alias1 LAN card

auto eth0:2
iface eth0:2 inet static
name Ethernet alias2 LAN card
  • Restart network:
# /etc/init.d/networking restart

(F): DNS-Records - External Internet

  • Config A-records in your public provider-DNS-server    IN  A  x.x.x.x   (-> IP of your ZCS)  IN  A  y.y.y.y   (separate public IP !)  IN  A  z.z.z.z

(G): Firewalling

At this point you will need a separated NAT/Forwarding:

  • (x.x.x.x) to
  • to
  • to

To Think About...

Implementing this new multi-SSL feature is a non-trivial walk. As you can see, with any new addon-domain to come, the system will get more and more complex in administration. So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...

Verified Against: ZCS 7.1.0 Date Created: 11/18/2011
Article ID: Date Modified: 2011-11-20

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search