Prepare the necessary files:

• commercial.key
  Contains private key that is used to generate CSR (for a wildcard certificate, this private key can be from another machine from a same domain)
• commercial.crt
  Contains a commercial SSL certificate that is generated by a CA, such as “RapidSSL Wildcard certificate” in my case
• ca_bundle.crt
  Contains CA’s bundle such as “RapidSSL/Wildcard SHA-2 under SHA-1 root” from https://www.namecheap.com/support/knowledgebase/article.aspx/9393/69/where-do-i-find-ssl-ca-bundle)

Installation steps:

# su zimbra
$ ls /opt/zimbra/ssl/zimbra/commercial/
commercial.key
$ ls /tmp/ssl/
ca_bundle.crt  commercial.crt
$ zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/ssl/commercial.crt /tmp/ssl/ca_bundle.crt
** Verifying '/tmp/ssl/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/ssl/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/ssl/commercial.crt' against '/tmp/ssl/ca_bundle.crt'
Valid certificate chain: /tmp/ssl/commercial.crt: OK
$ zmcertmgr deploycrt comm /tmp/ssl/commercial.crt /tmp/ssl/ca_bundle.crt
...
** Copying '/tmp/ssl/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/ssl/ca_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/ssl/ca_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
...
$ zmcontrol restart
$ zmcertmgr viewdeployedcrt

Verification:

Verify using https://www.ssllabs.com/ssltest/

Source:

• https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO20541
• https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools