Try this:
Create a directory and do the following in that directory.
Create the file openssl.cnf with the following information:
[ req ] default_md = sha2 distinguished_name = req_distinguished_name
[ req_distinguished_name ] countryName = US localityName = Boulder organizationName = Your orginizations name here organizationalUnitName = IT Department emailAddress = some email address at your company commonName = "Just a simple statement about the company"
[ certauth ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true
[ client ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth
Just change the things you need to for you.
Then issue the following command.
openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout dovecot.key -x509 - days 365 -extensions certauth -outform PEM -out dovecot.pem -subj "/C=US/postalCode=00000/ST=state/L=city/streetAddress=some street/O=company name/OU=IT Department/CN=dovecort cert/emailAddress=email@yourcompany.com"
Just change the C, O, OU, etc for your needs.
Then verify the contents via:
openssl x509 -noout -in dovecot.pem -subject openssl x509 -noout -in dovecot.pem -issuer openssl x509 -noout -in dovecot.pem -enddate
openssl x509 -noout -in dovecot.pem -text
This will show what is in the certificate.
Now copy the pem & key files to where you want them.
Restart dovecot. You may have to change the configuration to use the names just created.
Dave Ryan
On 09/23/16 11:07, Darryl Baker wrote:
My apologies if this is a repeat but my search of the archive did not turn it up in the recent past. If this has been covered just point me at the previous thread, please.
I am running a small email site which I am moving from uw-imapd and Solaris to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed certificate for this site. I am using Thunderbird as the test client. I've tried both the pre-built snakeoil certificate and building a special one for dovecot. In /var/log/mail.err I keep getting what I am interpreting as a missing CA cert. The message is:
dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
The certificate was created by:
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem
The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS current patches.
*Darryl Baker*