Generate a root private key (rootCA.key):
openssl genrsa -out rootCA.key 2048
Generate a self-singed root certificate (rootCA.pem):
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
Create a private key for the final certificate (dovecot.key):
openssl genrsa -out dovecot.key 2048
Create a certificate sign request (dovecot.csr):
openssl req -new -key dovecot.key -out dovecot.csr
Create a certificate based on the root CA certificate and the root private key (dovecot.crt):
openssl x509 -req -in dovecot.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out dovecot.crt -days 500
Copy the private key and the certificate to the /etc/dovecot/private/ directory
cp dovecot.crt /etc/dovecot/private/dovecot.crt
# cp dovecot.key /etc/dovecot/private/dovecot.key
Set the required permissions on the file:
chmod 400 /etc/dovecot/private/dovecot.crt
# chmod 400 /etc/dovecot/private/dovecot.key
Update paths to the key and the certificate in the Dovecot configuration file /etc/dovecot/dovecot.conf:
ssl_cert = < /etc/dovecot/private/dovecot.crt
ssl_key = </etc/dovecot/private/dovecot.key
Restart the Dovecot service to apply the changes:
service dovecot restart