Use SSL certificate free for 3 months

Create your key (mail.saic.key) and your request (mail.saic.csr):

openssl req -new -newkey rsa:4096 -nodes -subj ‘/, Inc./C=IT/ST=Italy/L=Viadana’ -keyout mail.saic.key -out mail.saic.csr

Go to this website and follow the istruction for have back the certificate for your Common Name ( and the authority certificate :

Certificate Authority

I configured my dns.

I set all file permission

chmod 444 mail.saic.*

then vim /etc/postfix/

smtp_tls_key_file                         = /etc/ssl/certs/mail.saic.key

smtp_tls_cert_file                        = /etc/ssl/certs/mail.saic.crt

smtp_tls_CAfile                           = /etc/ssl/certs/

here the console for renew the certificate



It can be useful to check a certificate and key before applying them to your server. The following commands help verify the certificate, key, and CSR (Certificate Signing Request).

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5


Self Signed Certificate : Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

Leave a Reply