Try this: Create a directory and do the following in that directory. Create the file openssl.cnf with the following information: [ req ] default_md = sha2 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = US localityName = Boulder organizationName = Your orginizations name here organizationalUnitName = IT Department emailAddress = some email address at your company commonName = "Just a simple statement about the company" [ certauth ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true [ client ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth Just change the things you need to for you. Then issue the following command. openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout dovecot.key -x509 - days 365 -extensions certauth -outform PEM -out dovecot.pem -subj "/C=US/postalCode=00000/ST=state/L=city/streetAddress=some street/O=company name/OU=IT Department/CN=dovecort cert/emailAddress=email at yourcompany.com" Just change the C, O, OU, etc for your needs. Then verify the contents via: openssl x509 -noout -in dovecot.pem -subject openssl x509 -noout -in dovecot.pem -issuer openssl x509 -noout -in dovecot.pem -enddate openssl x509 -noout -in dovecot.pem -text This will show what is in the certificate. Now copy the pem & key files to where you want them. Restart dovecot. You may have to change the configuration to use the names just created. Dave Ryan On 09/23/16 11:07, Darryl Baker wrote:> My apologies if this is a repeat but my search of the archive did not turn > it up in the recent past. If this has been covered just point me at the > previous thread, please. > > I am running a small email site which I am moving from uw-imapd and Solaris > to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed > certificate for this site. I am using Thunderbird as the test client. I've > tried both the pre-built snakeoil certificate and building a special one > for dovecot. In /var/log/mail.err I keep getting what I am interpreting as > a missing CA cert. The message is: > > dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL > routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 > > > The certificate was created by: > > openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem > -keyout /etc/ssl/private/dovecot.pem > > > The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS > current patches. > > > *Darryl Baker* > >