NikaMail uses Java Key Store
*.jks format to keep public and private keys for StartTLS and WebUI.
Using a self-signed certificates.
Most email servers on the internet will accept self signed certificates when connecting to your server to pass an email, but there is a certain possibility that some of them wouldn’t accept it.
However, using a self signed cert is pretty enough if you don’t need to receive large amounts of correspondence or your server is for internal use.
Generate A self-signed certificate
- Install Java Development Kit if you don’t have it
- In the terminal call following command:
In this example: alias is
servercert and password is
password. You need to change it.
~# keytool -genkey -keyalg RSA -alias servercert -dname "CN=1, OU=2, O=2, L=4, S=5, C=GB" -keystore keystore.jks -storepass password -keypass password -validity 1440 -keysize 2048 -noprompt
config/keystore.jkswith newly generated key.
Or if you prefer to use WebUI:
NOTE: For convenience NikaMail uses one password for both: keystore and private key. Tech-savvy people can change the way it works if it’s needed.
- Restart server after changing certificates.
Use authority signed certificate
There is a great utility for this purpose: Keystore Explorer
- Download Keystore Explorer
- Import RSA keys
- Remember that password should be the same for both: keystore and private key
- Upload newly generated key to NikaMail
There are various ways to generate a JKS file from an authority signed certificate. Most of them look like voodoo magic even for orthodox linux freaks. If you want to learn some voodoo - google is glad to help you.