How to setup SNI in Zimbra OSE?

In this article, you will learn about the SNI setup in Zimbra. It would be important for you to set up Zimbra SNI as you can serve your users not being worried about the number of limited IPv4 addresses per domain. So let’s take a look at how you can setup SNI for your Zimbra.

To learn more about Zimbra SNI read What is SNI in Zimbra OSE?

SNI setup on Zimbra

To set up Zimbra SNI, the Zimbra proxy service must be installed and enabled on the server. If you are using a multi-server environment, you should perform these steps on the proxy server. You also need a signed certificate with a matching key and the trusted chain certificates from your certificate authority. You can bind multiple SSL certificates to one ipv4 address, for example, => and>, or even have an IPv4 address with different types of SSL Certificates, like, => (A Comodo Wildcard SSL Certificate), => (A free Let’s Encrypt SSL Certificate), => (A RapidSSL Certificate).

1. Domain and IP Preparation

To pair an IPv4 address (for example, to a domain (let’s say via a virtual hostname (say,

  • Add a new IPv4 address, for example,
  • Add the new domain,
  • run this command as a Zimbra user
 zmprov md zimbraVirtualHostName zimbraVirtualIPAddress

To add a new IPv4 address you can alias the new IP (associating more than one IP to a network interface device). The new IP address should be an A record for If the server is on the Internet the IP address could be public and if the server is behind the firewall the IP address could be internal. If the server is behind a firewall and NAT with an external address, check if the external request for reaches the aliased IP address as opposed to the actual local IP of the server.

The zimbraVirtualHostName should be set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.

2. Certificate Preparation

We suppose you have already received your server certificate file for your domain and single or multiple chain cert files from the certification authority (CA), and have your existing private key file available on your server which was used in the Certificate Signing Request (CSR).

To summarize you should have these files

  • Server certificate file (received from CA)
  • Single or multiple chain cert files (received from CA)
  • Private key file (available in your server)

For example, let’s say you have received three two intermediate cert files ( and, which with one server certificate file ( and one private key file ( makes a total of four files.

  • Save all files in a directory like /tmp/, so we have
ls /tmp/
  • Concatenate the chain intermediate files if you received more than one to have a single file, for example, example.com_ca.crt
cat >> example.com_ca.crt

3. Certificates Verification

To verify that if the server certificate and the key match and the chain cert files can complete the trust, run this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/ /tmp/ /tmp/

the output should be similar to this if you have the proper files

 ** Verifying against
 Certificate ( and private key ( match.
 Valid Certificate: OK

4. Certificate Implementation

  • Concatenate the chain cert file and server certificate file to have a single file, for example,
 cat example.com_ca.crt >>
  • Save the certificate and key files in the LDAP by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr savecrt
  • Deploy the certificate on the domain by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

5. Proxy Modification

  • On the proxy server set the zimbraReverseProxySNIEnabled to TRUE on both the server and global configuration by
zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
  • Restart the proxy
zmproxyctl restart

6. Testing

On your server to check if the correct domain cert is provided when you access the domain either with zimbraVirtualHostName or zimbraVirtualIPAddress, by running these commands

openssl s_client -servername -connect your-server-name-or-IP-address:port

For example,

openssl s_client -servername -connect

Product marketing and technical writer at Zextras, an open-source and technology enthusiast who creates instructional and technical articles about Zextras and Zimbra.

Post your comment