1. Abstract: Create Certificate
    1. Generate key
    2. Generate signing request
    3. Sign the key
    4. Create server certificate
    5. Set permission
    6. Set owner
    7. Copy into place
    8. Restart services

  2. Application: Self-Signed Certificate
    1. # openssl genrsa -out x.key 2048
    2. # openssl req -new -key x.key -out x.csr
    3. # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
    4. # cat x.crt x.key > servercert.pem
    5. # chmod 644 servercert.pem
    6. # chown root:qmail servercert.pem
    7. # cp -p servercert.pem /var/qmail/control

  3. Application: Godaddy Signed Certificate
    1. # openssl genrsa -out x.key 2048
    2. # openssl req -new -key x.key -out x.csr
    3. Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
    4. # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
    5. # chmod 644 servercert.pem
    6. # chown root:qmail servercert.pem
    7. # cp -p servercert.pem /var/qmail/control

  4. Let's Encrypt CentOS 6 (Automatic, assumes working web server)
    1. # mkdir /opt/certbot
    2. # cd /opt/certbot
    3. # wget https://dl.eff.org/certbot-auto
    4. # chmod a+x certbot-auto
    5. # ./certbot-auto --apache -d mydomain.com -d mail.mydomain.com certonly --email me@mydomain.com --renew-by-default --agree-tos --text
  5. Let's Encrypt CentOS 7 (Automatic, assumes working web server)
    1. # yum install python-certbot-apache
    2. # certbot --apache -d mydomain.com -d mail.mydomain.com
    3. Add to Apache Virtual CentOS 6 & 7
       SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
      
    4. Add to Dovecot CentOS 6 & 7
       ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
       ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
      
    5. Add to Qmail CentOS 6 & 7
       cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
       cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
      
    6. Let's Encrypt auto renewal
        Add to cron nightly renew of certs (These certificates expire every 3 months)
        0 0 * * * /opt/certbot/certbot-auto renew  #CentOS 6
        0 0 * * * /opt/certbot/certbot renew       #CentOS 7
      

  6. Restart Qmail and Dovecot
    1. # qmailctl stop
    2. # qmailctl start
    3. # systemctl restart dovecot
    4. # systemctl restart httpd