1. Abstract: Create Certificate
    1. Generate key
    2. Generate signing request
    3. Sign the key
    4. Create server certificate
    5. Set permission
    6. Set owner
    7. Copy into place
    8. Restart services

  2. Application: Self-Signed Certificate
    1. # openssl genrsa -out x.key 2048
    2. # openssl req -new -key x.key -out x.csr
    3. # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
    4. # cat x.crt x.key > servercert.pem
    5. # chmod 644 servercert.pem
    6. # chown root:qmail servercert.pem
    7. # cp -p servercert.pem /var/qmail/control

  3. Application: Godaddy Signed Certificate
    1. # openssl genrsa -out x.key 2048
    2. # openssl req -new -key x.key -out x.csr
    3. Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
    4. # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
    5. # chmod 644 servercert.pem
    6. # chown root:qmail servercert.pem
    7. # cp -p servercert.pem /var/qmail/control

  4. Let's Encrypt CentOS 6 (Automatic, assumes working web server)
    1. # mkdir /opt/certbot
    2. # cd /opt/certbot
    3. # wget https://dl.eff.org/certbot-auto
    4. # chmod a+x certbot-auto
    5. # ./certbot-auto --apache -d mydomain.com -d mail.mydomain.com certonly --email me@mydomain.com --renew-by-default --agree-tos --text
  5. Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
    1. # yum install python-certbot-apache
    2. # certbot --apache -d mydomain.com -d mail.mydomain.com
    3. Add to Apache Virtual CentOS 6 & 7/8 
       SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
 SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    4. Add to Dovecot CentOS 6 & 7/8 
       ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
 ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
    5. Add to Qmail CentOS 6 & 7/8 
       cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
 cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
 Springdale, Rocky, Alma Linux 9 may need the private key last
 cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
    6. Let's Encrypt auto renewal 
        Add to cron nightly renew of certs (These certificates expire every 3 months)
  0 0 * * * /opt/certbot/certbot-auto renew  #CentOS 6
  0 0 * * * /opt/certbot/certbot renew       #CentOS 7

  6. Restart Qmail and Dovecot
    1. # qmailctl stop
    2. # qmailctl start
    3. # systemctl restart dovecot
    4. # systemctl restart httpd