All-in-one StartSSL cert in shared environment


his tutorial works for CentOS only. For your specific OS tutorial use the tags or serach function in the sidebar area.


As a webdesigner/freelancer and newborn admin You have a few 'clients' on your box. You're upset with all those browser/mail-client SSL warnings which You and your clients must bypass all the time and you have a working mailserver (i.e. imap=dovecot/smtp=exim) and a webserver (apache). You don't want to spend hundreads of dollars for a commercial SSL. Time to act!

Task: Obtain a free SSL certificate from StartSSL (a certificate which major browsers will approve), install that certificate into servers (dovecot,exim,apache), configure Mozilla Thunderbird autoconfig (configuration auto-discovery) mailserver settings for your clients to use.

First, visit or go directly to panel You must authenticate yourself first, sth like creating an account because the Terms and Conditions of StartCom requires subscribers to provide the correct and complete personal details during registration. Without fulfilling this requirement, a subscriber (you) is not entitled for an account with StartSSL™. It is upon the subscriber to prove the validity of the details submitted should StartCom make such a request. This is nothing, as you will get SSL certificate FOR FREE and there is no other such free CA on the market.

-   - your main domain, containing web-panel, roundcube or anything with https web-access
-  - your mailserver subdomain

Create directory for your certs, ie /etc/ssl/

$ mkdir /etc/ssl
$ cd /etc/ssl

Generating a Certificate signing request (CSR)

Do the same as in previous tutorial

$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout -out

Of course instead '' use your own domain name.


Obtaining certificate from StartSSL




Validate that you own a

Enter your domain, you will receive a code via e-mail message, that code you have to enter in next step for verification.


Certificate wizard

Chose Web Server SSL/TLS Certificate


Skip key generator as we generated our key already



Paste the contents of into the textarea

(with --- BEGIN --- and --- END --- text)

$ more


In this step choose the verified domain ( and enter your as a subdomain.
Simply certificate will be valid for both and


If everything went ok you shoul get your certificate in next step.
Copy it all (with --- BEGIN --- and --- END --- text) and paste to

$ nano

Also download CA and chain certificates:

$ wget
$ wget

At this moment in /etc/ssl/ you should have five files:

- ca.pem



Setting StartSSL certificate in Apache

Go to your /etc/httpd.conf or wherewer you have your vhost configured.

$ nano /etc/httpd/conf/httpd.conf

and in virtualhost ADD:

SSLEngine on
SSLCertificateFile /etc/ssl/
SSLCertificateKeyFile /etc/ssl/
SSLCertificateChainFile /etc/ssl/
SSLCACertificateFile /etc/ssl/ca.pem

Save, restart Apache

$ service httpd restart

If all went OK, go to

enter your in the input field and hit 'Check SSL'

you should have pass a full validation like on the screen below


You may now navigate your clients to i.e. - isn't it pretty now?


Now's the time for mailservers.

First, as for the mailservers we have to create bundled certificate as they don't accept chained certificates in a separate configuration option.

This is simple as merging textfiles.

$ cd /etc/ssl
$ cp
$ cat >>
$ cat ca.pem >>

Now we should have a file with hierarchy of

- your certificate at the top -
- below -
- and CA root.pem at the bottom


SSL already configured?

The next steps require that you have SSL/TLS mailserver properly configured already (i.e.  self-signed certificate).
If you haven't configured SSL yet (see previous tutorial).


Inserting certificate into Dovecot (IMAP/POP3)

$ nano /etc/dovecot/dovecot.conf

and change your certs accordingly:


Save, exit and restart servers

$ service exim restart
$ service dovecot restart

Autoconfig (Auto Discovery in Thunderbird)

This is efficient especially in a Shared hosting where are many users and many domains but wait, we have cert only for one domain ( not, ... and so on. Luckily here comes autoconfig (autodiscovery) feature that i.e. Thunderbird uses (you can see it in action when you adding an account and TB trying to guess mail settings, yep, these settings you can adjust).

So what we do here is that we're using a little force and ask Thunderbird (and other mail software) to tell to your client "Hi, I've found those settings for your mail account" and make our clients use (which is SSL OK) rather than (which isn't SSL OK), so they doesn't see the SSL warnings so they're not less happy ;-)

You should have defined a default vhost already in your apache configuration.

I assume here your default virtualhost points to /var/www/html/

$ mkdir -p /var/www/html/autoconfig/mail
$ cd /var/www/html/autoconfig/mail/
$ touch config-v1.1.xml

You can read about the whole proccess here

and prepare your configuration similar to this config-v1.1.xml

E.g. have you noticed %EMAILADDRESS%, great, isnt'it? Now we don't have to tell the clients to login with full-mail not username only! Great feature!

You can paste and adjust settings

Remember, save as filename config-v1.1.xml


Now the apache alias.

Autoconfig feature looks always for the file which is located at

Because we don't want create that file in every client domain directory on our server, what we wanna do is an alias - that for any new domain it always will be fetched OK

$ nano /etc/httpd/conf/httpd.conf

and paste

Alias /.well-known "/var/www/html/"

Restart Apache.

You should now have ability to fetch that config xml file typing any of your or your-client's domains

i.e. and you should get that xml file in response

Now try with Thunderbird new account.