Self-Signed Certificate issue

dovecot at dovecot at
Fri Sep 23 20:45:16 UTC 2016

Try this:

Create a directory and do the following in that directory.

Create the file openssl.cnf with the following information:

[ req ]
default_md = sha2
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = US
localityName = Boulder
organizationName = Your orginizations name here
organizationalUnitName = IT Department
emailAddress = some email address at your company
commonName = "Just a simple statement about the company"

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ client ]
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth

Just change the things you need to for you.

Then issue the following command.

openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout dovecot.key -x509 -
days 365 -extensions certauth -outform PEM -out dovecot.pem -subj "/C=US/postalCode=00000/ST=state/L=city/streetAddress=some street/O=company name/OU=IT Department/CN=dovecort cert/emailAddress=email at"

Just change the C, O, OU, etc for your needs.

Then verify the contents via:

openssl x509 -noout -in dovecot.pem -subject
openssl x509 -noout -in dovecot.pem -issuer
openssl x509 -noout -in dovecot.pem -enddate

openssl x509 -noout -in dovecot.pem -text

This will show what is in the certificate.

Now copy the pem & key files to where you want them.

Restart dovecot. You may have to change the configuration to use the names just created.

Dave Ryan

On 09/23/16 11:07, Darryl Baker wrote:
> My apologies if this is a repeat but my search of the archive did not turn
> it up in the recent past. If this has been covered just point me at the
> previous thread, please.
> I am running a small email site which I am moving from uw-imapd and Solaris
> to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed
> certificate for this site. I am using Thunderbird as the test client. I've
> tried both the pre-built snakeoil certificate and building a special one
> for dovecot. In /var/log/mail.err I keep getting what I am interpreting as
> a missing CA cert. The message is:
> dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
> The certificate was created by:
> openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem
> -keyout /etc/ssl/private/dovecot.pem
> The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS
> current patches.
> *Darryl Baker*

More information about the dovecot mailing list