Article ID: 118354, created on Nov 1, 2013, last review on Sep 19, 2016

  • Applies to:
  • Plesk 12.0 for Linux
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux


How to generate custom self-signed SSL certificates and apply it to Postfix?


  1. Create a root private key:

    # openssl genrsa -out rootCA.key 2048
  2. Change permissions of this private key to 400:

    # chmod 400 /usr/share/ssl/certs/postfix/rootCA.key
  3. Create self-singed root certificate:

    # openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

    With the following data (change information to required):

    Country Name (2 letter code) [AU]:XX
    State or Province Name (full name) [Some-State]:SomeState
    Locality Name (eg, city) []:SomeCity
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Co
    Organizational Unit Name (eg, section) []:Company Co
    Common Name (e.g. server FQDN or YOUR name) []
    Email Address []
  4. Create private key for final certificate:

    # openssl genrsa -out device.key 2048
  5. Create certificate sign request:

    # openssl req -new -key device.key -out device.csr
  6. And finally create server certificate based on root CA certificate and root private key:

    # openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500
  7. Change Postfix configuration /etc/postfix/ to use the newly created certificates:

    #smtpd_tls_key_file = /etc/postfix/postfix_default.pem
    #smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
    #smtpd_tls_CAfile = /etc/postfix/postfix_default.pem
    smtpd_tls_key_file = /usr/share/ssl/certs/postfix/device.key
    smtpd_tls_cert_file = /usr/share/ssl/certs/postfix/device.crt
    smtpd_tls_CAfile = /usr/share/ssl/certs/postfix/rootCA.pem      
  8. Restart postfix service:

    [root@centos ~]# service postfix restart
    Shutting down postfix:                                     [  OK  ]
    Starting postfix:                                          [  OK  ]

All newly generated files should be created in folder /usr/share/ssl/certs/postfix/ (you could change folder, but paths in Postfix configuration have to be changed too).

After these steps, Postfix will work with the new certificates:

[root@centos ~]# openssl s_client -crlf -connect localhost:465
depth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN =, emailAddress =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN =, emailAddress =
verify return:1
Certificate chain
 0 s:/C=PK/ST=SomeState/L=SomeCity/O=Company Co/OU=Company Co/
   i:/C=PK/ST=SomeState/L=SomeCity/O=Company Co/OU=Company Co/

Search Words

old ssl in mail server

generate custom self-signed SSL certificate

Cannot setup SSL Certificate for port 443, 993 and 995 [IKG]

a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 01bc4c8cf5b7f01f815a7ada004154a2 29d1e90fd304f01e6420fbe60f66f838 0a53c5a9ca65a74d37ef5c5eaeb55d7f aea4cd7bfd353ad7a1341a257ad4724a 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7

Email subscription for changes to this article
Save as PDF