Web/Mail/Database can use the same certificate to allow its client to connect to the server.


Dovecot (POP3/IMAP server)

SSL certificate settings are defined in Dovecot main config file, /etc/dovecot/dovecot.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot.conf (FreeBSD):

Restarting Dovecot service is required.


Apache (web server)

  • On RHEL/CentOS, SSL certificate is defined in /etc/httpd/conf.d/ssl.conf.
  • On Debian/Ubuntu, it’s defined in /etc/apache2/sites-available/default-ssl (or default-ssl.conf)
  • On FreeBSD, it’s defined in /usr/local/etc/apache24/extra/httpd-ssl.conf. Note: if you’re running different version of Apache, the path will be slightly different (apache24 will be apache[_version_]).
  • On OpenBSD, if you’re running OpenBSD 5.5 or earlier releases, it’s defined in /var/www/conf/httpd.conf. Note: OpenBSD 5.6 and later releases don’t ship Apache anymore.


Restarting Apache service is required.

Nginx (web server)

  • On Linux and OpenBSD, it’s defined in /etc/nginx/templates/ssl.tmpl (or /etc/nginx/conf.d/default.conf on old iRedMail release)
  • On FreeBSD, it’s defined in /usr/local/etc/nginx/templates/ssl.tmpl (or /usr/local/etc/nginx/conf.d/default.conf on old iRedMail release)

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

Then update ssl_certificate parameter in /etc/nginx/conf.d/default.conf:

Restarting Nginx service is required.

MySQL, MariaDB

If MySQL/MariaDB is listening on localhost and not accessible from external network, this is OPTIONAL.

  • On Red Hat and CentOS, it’s defined in /etc/my.cnf
  • On Debian and Ubuntu, it’s defined in /etc/mysql/my.cnf.
    • Since Ubuntu 15.04, it’s defined in /etc/mysql/mariadb.conf.d/mysqld.cnf.
  • On FreeBSD, it’s defined in /usr/local/etc/my.cnf.
  • On OpenBSD, it’s defined in /etc/my.cnf.