If you have setup your Apache cert with a key you will need to re-key it using the instructions below.The certbot instructions include a guide to convert the generated cert to qmail.

The first thing you will need to do when you create your apache certificate it is important to create the cert correctly.

Lets create the key:

# mkdir /root/certs
# cd /root/certs
# openssl genrsa -out domain.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace domain with your actual domain name.

Now we need to create a csr:

# openssl req -new -key domain.key -out domain.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mail server name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from. You can use this information to purchase your certificate.

Now we should backup the current /var/qmail/control folder first:

# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control

Please copy the .crt you received to the root folder. Then run the following to make a signed cert:

# cd /root/certs
# cat domain.key > /var/qmail/control/servercert.pem
# cat cert.crt >> /var/qmail/control/servercert.pem
# cat intermediate.crt >> /var/qmail/control/servercert.pem

And now lets set the permissions on the servercert.pem:

# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Now lets create the clientcert.pem file and the permissions:

# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem