Inspect Current Configuration

cd /etc/pki/dovecot/
more certs/dovecot.pem # This is the one that people will need
more private/dovecot.pem # This is the private half : Don’t reveal

However, the certificate (as it stands) is set up for ‘’, so installing it doesn’t help you access email securely on your server.

The certificate is defined via :
more dovecot-openssl.cnf

Create New Configuration

This needs to be updated with your information, in particular the server entry :

cp dovecot-openssl.cnf dovecot-openssl.cnf-orig # Create a back-up, just in case  
joe dovecot-openssl.cnf   

Get rid of the old certificate pair :

rm /etc/pki/dovecot/certs/dovecot.pem   
rm /etc/pki/dovecot/private/dovecot.pem  

Create the certificate pair :


Make sure that dovecot is expecting secure logins by ensuring /etc/dovecot.conf has the line :

protocols=imaps pop3s  

Now restart dovecot (just in case - you may not need this) :

/etc/init.d/dovecot restart  

Last Step - use the (public) certificate you created

Copy the contents of /etc/pki/dovecot/certs/dovecot.pem into a file on the local (email client) machine, and import the certificate.

In Thunderbird, this is done via : Tools-Options-Advanced-Certificates-ViewCertificates-Authorities-Import and then pick out the file with the dovecot.pem contents in it. Then, the account server options should be set to ‘ssl’ (without secure authentication, though).

Martin Andrews

{Finance, Software, AI} entrepreneur, living in Singapore with my family.