Documentation and HOWTOs

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:


Network Solutions certificates bundle


cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!


Generate PSK

openssl rand -hex 32

Converting certificates

Create private key (using config file)

openssl req (-config /etc/pki/tls/ -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/ -new -newkey rsa:2048 -nodes -keyout -out

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example

Remove password from private key

Examining certificates

openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text 
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt
  1. to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx

Checking a service

  1. Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host -prexit
openssl s_client -connect -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect -servername

Just check expiration date:

 openssl s_client -connect -starttls imap 2>/dev/null | openssl x509 -noout -dates


Check your site


echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on

cd /etc/ssl
mkdir newcerts
(perform secret rituals)


Error messages

OpenSSL: error:0A000102:SSL routines::unsupported protocol

This could becaure you're trying to an older version of TLS, check openssl.cnf for

CipherString = DEFAULT:@SECLEVEL=2

which means it enforces minimum of TLSv1.2

You might now get

OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

which means add below the CipherString line:

Options = UnsafeLegacyRenegotiation

Get issuer

openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer

Order of certificates in bundle

Root CA comes last

using s_client

no client certificate sent

try adding -cert


Secure Renegotiation IS NOT supported

Probably using wrong TLS version

Can't use SSL_get_servername

Try using hostname instead of IP address


server reset the connection

no peer certificate available

Could be trying to talk tls to ssl?

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?


Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle


Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.


check certificate chain

openssl s_client -connect -showcerts


Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject  ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )


openssl s_client -showcerts -verify 5 -connect  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}' 


openssl s_client -showcerts -verify 5 -connect starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates

openssl x509 -enddate -noout -in file.pem

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line




check if webserver supports old tls

openssl s_client -connect -tls1
openssl s_client -connect -tls1_1

or when vhost:

 openssl s_client -servername -connect -tls1_1


ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose



ssllabs checks

Chain issues: Incorrect order, Contains anchor

Could be the topmost cert in the bundle provided, try removing it


Chain issues: Contains anchor

Seems to mean there's a root ca in the bundle

check smtp submission

echo -n "username" | base64
echo -n "password" | base64
openssl s_client -connect -starttls smtp -crlf




echo -ne '\0username\0password'| base64
AUTH LOGIN output_of_that_echo

Peer's Certificate issuer is not recognized.

p12 / pkcs12

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

server certificate does NOT include an ID which matches the server name