SSL on Zimbra issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
/opt/zimbra/bin/zmcertmgr deploycrt comm fullchain.cer
It produced this output:
** Verifying '' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Not an RSA key
ERROR: Certificate '' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I guess you have an ECDSA key. How did you get your certificate?


/root/ --issue -d --standalone --server letsencrypt --force

thank u for helping if u have any suggestions reply to me please

Please don't use --force

I think uses this switch to make you select if you want an rsa certificate, just add -k 2048 to your command.

  -k, --keylength <bits>            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.

so generate new certs or is there any way to delete the old one
or no need for that

You can keep the old cert.


I want only to generate cert foe zimbra if u have any doc for that or easy way that would be helpfull also

I don't know. Never used zimbra. What does --list



Ok, you do have an ecdsa certificate. You need an RSA one.

What happens if you run this? Do you get a certificate or an error?

/root/ --issue --keylength 2048 -d --standalone --server letsencrypt


i did not try

Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center
Zimbra with Let’s Encrypt Certificates a step-by-step guide (update) - Zimbra : Blog


Zimbra's zmcertmgr tool currently only works for RSA keys, but you can use this patch to make it accept ECC keys as well:

Zimbra confirmed this fix will be part of the next patch release.


Tested working :100:% using OpenSSL 3.0.2 [with RSA and ECC certs]
Thanks @ghen for this much needed improvement!


Now if they could only figure out how to use anything other than RSA certs for DKIM [RFC 8463]...
[not holding my breath for that]