sslcerts

Using StartSSL

StartSSL provides free signed ssl certificates so you don’t get the ‘this certificate isn’t trusted’ error when visiting a site or using a mailserver.

Had to validate domain, rec’d email at postmaster address and pasted in code.

Requested ssl/tls cert for validated domain and set a strong password, copied key to file on server; select domain for cert; set sub domain mail(.example.org)

Cert valid for example.org and mail.example.org

Finding and replacing current certs

Dovecot and postfix were set up with the self signed key and cert of ‘dovecot.pem’. All config references were found with root@mail:/etc# grep -R dovecot.pem ./*

Apache

I have an https site set up under sites-enabled/default-ssl. Config shows:

SSLCertificateFile    /etc/ssl/certs/mail.example.crt
SSLCertificateKeyFile /etc/ssl/private/mail.example.key

Both files have permissions set to 600 and owned by root.

Dovecot & Postfix

Changes to /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/ssl/certs/mail.example.crt
ssl_key = </etc/ssl/private/mail.example.key

Changes to /etc/postfix/main.cf:

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/mail.example.crt
smtpd_tls_key_file=/etc/ssl/private/mail.example.key

Testing new certificates

This site explains how to verify the new certs.