[Dovecot] question about changing certificate

Gedalya gedalya at gedalya.net
Wed Jun 13 13:14:51 EEST 2012

On 06/13/2012 03:47 AM, oni-neko at gmx.net wrote:
> next question: do I need the key to use the certificate or can I only use the certificate and leave the value of ssl_key_file empty?
You certainly can't use the certificate without the key. And I guess 
dovecot needs ssl_key_file, unless it would be smart enough to figure it 
out for itself when you omit it. Either way, here is basically how it 
works. A certificate is not a secret, you in fact push it down to every 
connecting client. A certificate is something that identifies a server, 
and the private key is what makes it possible for you to demonstrate 
that you are the owner of the certificate.
When a CA signs your certificate, you send them the public half of your 
key, and they make a certificate from it, and sign it, and that 
basically says: we were convinced that the entity that holds this key 
has a legitimate connection to this domain name. All that remains is for 
you to prove to the world that you are actually you = you are in 
possession of the private key. So, dovecot actually needs the key to do 
this mathematical magic every time a client connects.

More information about the dovecot mailing list