Self-signed Certificates Nano-HOWTO

Ángel Ortega


If you want to use secure connections in the servers you run (and you WANT it), you need a certificate and a key. This document tells briefly how you can create a self-signed certificate to use TLS in your smtp, imap and https connections.

Take note that the 'authentication' part of the certificate serves no purpose in a self-signed certificate, because it's signed by you and not by a recognized certification authority; some programs (specially Firefox) will complain when connecting to your services because they cannot be sure that you really are who you are claiming to be. If that is a problem to you, then this is not the document you are looking for.

Creating the certificate and the key

To create it you need:

The important part of it is the CN (the host name). You MUST create a certificate with exactly the same host name people will use when connecting to your service. If you use different host names for your services (,, etc) you need to create different certificate/key pairs for them.

The magical one-liner:

openssl req -x509 -nodes -days 3650 \
 -subj '/C=ES/ST=Madrid/L=Madrid/' \
 -newkey rsa:1024 -keyout key.pem -out cert.pem

Both parameters to -keyout and -out can be the same file; many programs accept the key and the certificate in the same file.

Store your certificates and keys in /etc/CA and set the permissions to the minimum possible (probably just 600 and owned by root).


Add the following two lines to /etc/dovecot/dovecot.conf:

ssl_cert_file = /etc/CA/cert.pem
ssl_key_file = /etc/CA/key.pem


Add the following in any of your Apache configuration files:

SSLEngine on
SSLCertificateFile    /etc/CA/cert.pem
SSLCertificateKeyFile /etc/CA/key.pem

Of course, you need mod-ssl. If you use virtual hosts, only the first one will work with SSL (this is because the SSL decryption is done before any HTTP header starting with Host: can be parsed).

Courier IMAP

Add the following to /etc/courier/imapd-ssl:


Courier wants both the certificate and the key in the same file. You can happily concatenate both files into one.


Exim4 needs the certificate and the key in separate files. Add the following to /etc/exim4/conf.d/main/000_exim4-config_localmacros: