[Dovecot] question about changing certificate

Gedalya gedalya at gedalya.net
Mon Jun 11 22:39:39 EEST 2012

On 06/11/2012 08:28 AM, oni-neko at gmx.net wrote:
> Good day!
> I'm having trouble changing certificate/keys for my dovecot(version 1.2.9).
> When I set up the server (unbuntu lts 10.4.4) I did it with a self-signed certificate. I can't remember exactly what I did, just that I followed the wiki and it worked fine =)
> Now I have to change the certificate because a friend bought an official one (from thawte) and I'm a bit stumped.
> As dovecot can use supposedly use the same file for both key and cert file, I copied the new certificate to /etc/ssl/private/dovecot.pem and to /etc/ssl/certs/dovecot.pem.

Are both files identical, do they both contain the private key?

Why keep two copies of the same file? That's confusing. If you don't 
want to use separate files for the certificate and the private key then 
just concatenate them both in a single file, private key first, and make 
sure it's owned by root and readable by no one but root.

Then just point ssl_cert_file and ssl_key_file to the same file. That 
should be more clear and consistent.

Your file should look like this:


Followed by any intermediate CA certificates that might be necessary.

> some googling brought up the file ssl-cert-snakeoil.key in /etc/ssl/private and /etc/ssl/certs that some people change in that context. As I also have a symlink /etc/ssl/private/ssl-mail.key that points to /etc/ssl/private/ssl-cert-snakeoil.key I'm starting to be confused (even more). dovecot is using the dovecot.pem-files, who/what uses the ssl-mail.key?

If there's no reference to this file in dovecot's configuration then 
dovecot isn't using it. Maybe someone else e.g. postfix, maybe someone 
used to use it.. does it matter? It doesn't look like this is the source 
of your trouble.

More information about the dovecot mailing list