Secure Web/Mail/Database with certificate

Web/Mail/Database can use the same certificate to allow its client to connect to the server.


postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem'
postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem'
postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem'

Dovecot (POP3/IMAP server)

SSL certificate settings are defined in Dovecot main config file, /etc/dovecot/dovecot.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot.conf (FreeBSD):

ssl = required
ssl_cert = </etc/pki/tls/certs/cert.pem
ssl_key = </etc/pki/tls/private/privkey.pem
ssl_ca = </etc/pki/tls/certs/fullchain.pem

Restarting Dovecot service is required.


Apache (web server)

  • On RHEL/CentOS, SSL certificate is defined in /etc/httpd/conf.d/ssl.conf.
  • On Debian/Ubuntu, it’s defined in /etc/apache2/sites-available/default-ssl (or default-ssl.conf)
  • On FreeBSD, it’s defined in /usr/local/etc/apache24/extra/httpd-ssl.conf. Note: if you’re running different version of Apache, the path will be slightly different (apache24 will be apache[_version_]).
  • On OpenBSD, if you’re running OpenBSD 5.5 or earlier releases, it’s defined in /var/www/conf/httpd.conf. Note: OpenBSD 5.6 and later releases don’t ship Apache anymore.


SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem

Restarting Apache service is required.

Nginx (web server)

  • On Linux and OpenBSD, it’s defined in /etc/nginx/templates/ssl.tmpl (or /etc/nginx/conf.d/default.conf on old iRedMail release)
  • On FreeBSD, it’s defined in /usr/local/etc/nginx/templates/ssl.tmpl (or /usr/local/etc/nginx/conf.d/default.conf on old iRedMail release)
server {
    listen 443;
    ssl on;
    ssl_certificate /etc/pki/tls/certs/cert.pem;
    ssl_certificate_key /etc/pki/tls/private/privkey.pem;

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

# cd /etc/pki/tls/certs/
# cat cert.pem fullchain.pem > server.chained.crt

Then update ssl_certificate parameter in /etc/nginx/conf.d/default.conf:

    ssl_certificate /etc/pki/tls/certs/server.chained.crt;

Restarting Nginx service is required.

MySQL, MariaDB

If MySQL/MariaDB is listening on localhost and not accessible from external network, this is OPTIONAL.

  • On Red Hat and CentOS, it’s defined in /etc/my.cnf
  • On Debian and Ubuntu, it’s defined in /etc/mysql/my.cnf.
    • Since Ubuntu 15.04, it’s defined in /etc/mysql/mariadb.conf.d/mysqld.cnf.
  • On FreeBSD, it’s defined in /usr/local/etc/my.cnf.
  • On OpenBSD, it’s defined in /etc/my.cnf.

ssl-ca = /etc/pki/tls/certs/fullchain.pem
ssl-cert = /etc/pki/tls/certs/cert.pem
ssl-key = /etc/pki/tls/private/privkey.pem


Leave a Reply

Your email address will not be published. Required fields are marked *