SSL certificate creation¶
Self-signed SSL certificates¶
Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:
The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn’t really bother verifying the certificate’s fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user’s password and so on.
If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.
The only way to be fully secure is to import the SSL certificate to client’s (or operating system’s) list of trusted CA certificates prior to first connection. See [[SSL/CertificateClientImporting]] how to do it for different clients.
Self-signed certificate creation¶
Dovecot includes a script to build self-signed SSL certificates using OpenSSL. In the source distribution this exists in https://dovecot.org/tools/mkcert.sh. Binary installations usually create the certificate automatically when installing Dovecot and don’t include the script.
The SSL certificate’s configuration is taken from https://dovecot.org/doc/dovecot-openssl.cnf file. Modify the file before running mkcert.sh. Especially important field is the CN (Common Name) field, which should contain your server’s host name. The clients will verify that the CN matches the connected host name, otherwise they’ll say the certificate is invalid. It’s also possible to use wildcards (eg. *.domain.com) in the host name. They should work with most clients.
By default the certificate is created to
/etc/ssl/certs/dovecot.pem and the private key file is created to
/etc/ssl/private/dovecot.pem. Also by default the certificate will expire in 365 days. If you wish to change any of these, modify the