# did i create my dovecot ssl certs wrong?

## methodtwo

Hi there

I have my servers behind a single I.P(my router's external I.P). I want to be able to get mail from dovecot, via imaps, from my internal LAN and from the Internet. So far i've only used dovecot from the LAN.

I'm just wondering about how to test if the dovecot.pem keyfile and dovecot.pem cert file were created correctly on my imaps server?. When i connect to my dovecot imaps server, mutt always asks me if i want to accept the certificate(every time i connect...even though i've opted for (a)lways accept on all previous connection attempts).

Another issue is that i was thinking that i might have put the incorrect canonical name when i used mkcert.sh to create the cert/keyfiles?. Bearing in mind that there is no mx record in DNS for the mail server(both my servers will be acessed using a name that is associated with my router's external i.p) the imaps server should have just this domainname as the canonical name when the cert/key is created right?. I think the cert was created using the full hostname+domainname. I have a webserver and a mail server and the domainname associated with my router's external i.p is the full name of the web server(hostname+domainname). So the canonical name i used when creating the cert/key, for my mail server, i think, was mailserver.webserver.domain.org. I understand that this might be wrong if mail is to be accessed from the LAN and the net, right?

How do i see if the name in the cert/key is what mutt expects with the openssl comandline tools? The cert/key needs to be regenerated using mkcert.sh and the canonical name set to just domainname(router's external I.P)? (i'm o.k with a self-signed cert/key).

Thank you very much for your timeLast edited by methodtwo on Fri Jan 27, 2012 11:38 am; edited 1 time in total

----------

## methodtwo

Seriously self-signed certs are fine for my purpose and i want to stick with mutt as the MUA on the clients. Also when using dovecot for IMAPS, if you want to have authentication of clients, do you have to set up a CA to issue your clients with certs? (if you don't want to generate a csr and go to an official CA).

----------

