On 08/31/2018 01:47 PM, Chuck Campbell wrote: > I am getting myself confused, and need someone who fully understands > this process to help me out a bot. > > I would like to obtain an ssl certificate, so I can run my own imap > server on a machine in my office. > > My domain is hosted by networksolutions, but I don't run my imap > server there. > > > I am assuming I'll need to pay a CA to generate what I need, but I'm > confused about what I need. I am running dovecot at teh moment, but my > clients (iphone, windows laptops) say my ssl connection is not > trusted. The phone just won't connect. > > I tried emailing the dovecot.pem file to my phone and installing it, > but it just says it is not trusted. > > This leads me to obtaining a real CA issued certificate. I'm not sure > what to do with it, once I get one, and then if I need to subsequently > regenerate my dovecot.pem file?? Many large companies run their own CA and install their own root certificate. Often installing a root cert is easier than installing a self-signed independent cert. There is much written about building your own CA and a number of tools for that like openCA. I can't speak for all your devices or apps, but there should be ways.... In personal promotion, I have been doing my own CA work for ECDSA certs and now for EDDSA certs (and I wonder what commercial CAs are providing them). See my Internet draft: draft-moskowitz-ecdsa-pki And my github for pending updates to this and the new eddsa-pki draft (to be published after openSSL 1.1.1 is released). https://github.com/rgmhtt/draft-moskowitz-ecdsa-pki https://github.com/rgmhtt/draft-moskowitz-eddsa-pki Or go to openCA or look at other CA toolkits available on Centos and Fedora. Letsencrypt is a very important development, but it has (IMHO) a shaking foundation. I would not build a production system around it. But then I have lived in aspects of PKI since '95...