Generating SSL key for Dovecot and Postfix

ssl postfix email-server dovecot

20,218

The comments from @drookie and @andytech helped me to solve the issue. There were no errors, just lack of understanding and attention.

After searching for answer even more, I found a good article about SSL-key generation: https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/

Regarding the .pem absence, I have missed that the certificate is generated into /etc/dovecot/cert.pem and not into /etc/dovecto/private/cert.pem.

20,218

0leg

Updated on September 18, 2022

Comments

0leg over 1 year
Following this tutorial: https://www.vultr.com/docs/simple-mailserver-postfix-dovecot-sieve-debian

Trying to create a self-signed SSL certificate for testing purposes for my mail server, using code:
```
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout /etc/dovecot/private/mykey.key -out /etc/dovecot/mycert.pem
```
Now, modifying Postfix and Dovecot config files. What I don't understand is how this code:
```
smtpd_tls_cert_file = /etc/dovecot/private/mykey.pem
smtpd_tls_key_file = /etc/dovecot/private/mycert.pem
smtpd_use_tls = yes
```
And this code:
```
ssl = yes
ssl_key = /etc/dovecot/private/mykey.pem
ssl_cert = /etc/dovecot/private/mycert.pem
```
suppose to work? First of all there is only one file created - /etc/dovecot/private/mykey.key.

May be someone can explain what files does one suppose to get after running openssl command - PEM of KEY file?

EDIT: I understood that the result of this command:
```
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout /etc/dovecot/private/mykey.key -out /etc/dovecot/mycert.pem
```
should be 2 files generated - mykey.pem (unsigned key) and mycert.pem (self-signed certificate), but it is not happening. I have done it in different way:
```
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
```
But curious why is this shortcut-code not working? Where is the syntax mistake?
- Admin over 8 years
  
  Both. But you didn't do your homework: howtos describing the self-signed certificate creation are widespread all over the internet. google://openssl self-signed certificate.
- Admin over 8 years
  
  I was curious if the command ran successfully, since I've got only mykey.key
- Admin over 8 years
  
  Hopefully silly question - you do realise the certificate file is being written to a different directory (/etc/dovecot) than the key file (/etc/dovecot/private), right?
- Admin over 8 years
  
  @andytech Oh... OH!!!! And this is what happens when you look at the thing for too long.. you misses the obvious.
Toskan over 7 years

just say the article is wrong that you linked!
Toskan over 7 years

jesus christ man! what a waste of time!!! not only is the path wrong, the file format of the file is wrong too! it is mykey.key not mykey.pem