If you have setup your Apache cert with a key you will need to re-key it using the instructions below.The certbot instructions include a guide to convert the generated cert to qmail.

The first thing you will need to do when you create your apache certificate it is important to create the cert correctly.

Lets create the key:


# mkdir /root/certs
# cd /root/certs
# openssl genrsa -out domain.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace domain with your actual domain name.

Now we need to create a csr:


# openssl req -new -key domain.key -out domain.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mail server name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from. You can use this information to purchase your certificate.

Save the zip file with the cert and bundle to the primary server in newcert directory
Create an oldcert directory and copy old cert files into it for backup
Copy new key, crt and bundle.crt files into /etc/certs/
change filenames to suit and confirm they match the settings in httpd_ssl.conf

Confirm setting using apachectl configtest
Correct any errors until you get Syntax OK
Restart apache with apachectl restart
Tail the apache error log to ensure it resumed normal operations.
Bring web page up in browser - do a Ctrl+Refresh to ensure you get a clean load
Verify the Certificate information from the Lock icon

Provided all is good export the cert to Qmail (sslserver)


# cat mydomain.key > mydomain.pem
# cat mydomain.crt >> mydomain.pem
# cat gd_bundle.crt >> mydomain.pem
# chmod 640 mydomain.pem

Verify in your run script for the SSL SMTP Service
/var/qmail/supervise/ssl-smtpd/run

that the file name for the SSL Certificate matches
restart Qmail and tail smtpd-ssl current log to ensure it loaded the key

For WWW - copy the key and crt file to the server.
DO NOT use the bundle.crt file that is only for the server that issued the CSR.
follow same procedure, match the file names in the httpd_ssl.conf file
check config and restart and verify load
For secondary qmail servers create pem file using only the crt and key, not the bundle file
then follow the same procedure for installing.
Also ensure the key and crt files match in Dovecot.conf too
Special thanks to Cavin Greer for the documentation