Un naufragio personal

Self-signed Certificates Nano-HOWTO


If you want to use secure connections in the servers you run (and you WANT it), you need a certificate and a key. This document tells briefly how you can create a self-signed certificate to use TLS in your smtp, imap and https connections.

Take note that the 'authentication' part of the certificate serves no purpose in a self-signed certificate, because it's signed by you and not by a recognized certification authority; some programs (specially Firefox) will complain when connecting to your services because they cannot be sure that you really are who you are claiming to be. If that is a problem to you, then this is not the document you are looking for.

Creating the certificate and the key

To create it you need:

  • The two letter name of your country (C).
  • The name of your state (ST).
  • The name of your city (L).
  • The name of the host computer (CN).

The important part of it is the CN (the host name). You MUST create a certificate with exactly the same host name people will use when connecting to your service. If you use different host names for your services (,, etc) you need to create different certificate/key pairs for them.

The magic one-liner:

 openssl req -x509 -nodes -days 3650 \
  -subj '/C=ES/ST=Madrid/L=Madrid/' \
  -newkey rsa:1024 -keyout key.pem -out cert.pem

Both parameters to -keyout and -out can be the same file; many programs accept the key and the certificate in the same file.

Store your certificates and keys in /etc/CA and set the permissions to the minimum possible (probably just 600 and owned by root).


Add the following two lines to /etc/dovecot/dovecot.conf:

 ssl_cert_file = /etc/CA/cert.pem
 ssl_key_file = /etc/CA/key.pem


Add the following in any of your Apache configuration files:

 SSLEngine on
 SSLCertificateFile    /etc/CA/cert.pem
 SSLCertificateKeyFile /etc/CA/key.pem

Of course, you need mod-ssl. If you use virtual hosts, only the first one will work with SSL (this is because the SSL decryption is done before any HTTP header starting with Host: can be parsed).

Courier IMAP

Add the following to /etc/courier/imapd-ssl:


Courier wants both the certificate and the key in the same file. You can happily concatenate both files into one.


Exim4 needs the certificate and the key in separate files. Add the following to /etc/exim4/conf.d/main/000_exim4-config_localmacros:

 MAIN_TLS_CERTIFICATE = /etc/CA/cert.pem
 MAIN_TLS_PRIVATEKEY = /etc/CA/key.pem