Command to create a Dovecot certificate – self signed, CSR request.

without comments

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem

What you enter in the fields is entirely your choice. The only notable exception is the “Common Name” which has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at “” then this has to be entered here. This certificate will be valid for 10 years (10 times 365 days).

Do not forget to set the permissions on the private key so that no unauthorized people can read it:

chmod o= /etc/ssl/private/dovecot.pem

And you will have to restart Dovecot to make it read your new certificate.


See for Dovecot SSL configuration. Dovecot requires the *.pem extension on all of the files it uses, including the key file. You can use an OpenSSL utility to make the *.pem file if you have a key file. As it says on that Dovecot documentation page, “The key file’s permissions should be restricted to only root (and possibly ssl-certs group or similar if your OS uses such). Dovecot opens both of these files while still running as root, so you don’t need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file).” So, chown and chgrp to root and chmod to 0400 for the key file and you should be good to go for Dovecot.

Written by spectre

May 10th, 2014 at 5:25 pm

Posted in Tips and Tricks

Leave a Reply