On 03/03/2015 08:12 AM, Timothy Murphy wrote: > Jason Pyeron wrote: > >>> I'm getting endless complaints about my dovecot cert, >> Exact message please? > The certificate does not apply to the given host > The certificate is not signed by any trusted certificate authority > >>> Do I really have to use a separate cert and key for dovecot? >>> Can I not use the "standard" cert in /etc/pki/tls/certs (and key) >>> from CACert.org ? >> Post the certificate only, not the private key. > I've looked at the cert and key and they look ok for what they are, > a self-signed certificate and key, as created (years ago) > following the instructions in the dovecot installation instructions. > > I'm really just asking if I cannot just use what I take to be > the standard openssl certificate and key in /etc/pki/tls/ > Do I really have to create up a special cert for dovecot? > There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver? What I typically do is get a real, but free, SSL certificate from some place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot. That way, both httpd and dovecot are using the same certificate (although it's stored in 2 different locations). The other thing to consider with dovecot (if you go with a third-party certificate) is that you may need to append the intermediate certificate to your server-specific certificate to properly establish the chain of trust for clients attempting to verify it. -Greg