Multiple SSL Certs not signed by the same key

I have a SSL cert for one of my domains that I had purchased previously. The only problem is that the private key is different from the one used to sign the key for my main domain. I have manually installed the key in the correct directory for that domain but I see no way to have Mail-In-A-Box use a different key to check that cert.
As a result Nginx fails to start because it’s using A) looking at the wrong cert and key by default and B) the configuration keeps getting overwritten removing my changes pointing Nginx at the correct cert and key.

How do you generated the second private key via the site where you received the ssl cert?

Have you tried out the new miab web-gui (System > SSL Certificates) yet? Click on the “Install Certificate”-button and then you will need to provide the SSL certificate provider the Certificate Signing Request (CSR) listed in the textbox below.

If you do so you will receive the right SSL certificate which fits for the private key which miab created by its installation.


I generated it on the server that hosts the website on that domain with openssl as per usual.

Can I simply include the private key in the cert chain to get around the issue? This SSL cert is already valid and signed with a pre existing key and CSR that existed long before I setup MIAB.

If you line-up the private key in the cert chain, you doing it wrong. It’s like laying your latchkey on a bench in a public park.

CSR that existed long before I setup MIAB

Time to use the new one (created on the miab setup), if you want a stable and clean system. If not you can overwrite the existing private key, delete all existings CSR and certs and generate the (signed) certs with openssl as per usual. But no guarantee if this would work.

All-in-all the tools (nginx, courier, postfix) have to find the ssl certs / chains. If you change the configs they will overwritten on the next miab update.


So I should discard a perfectly valid and payed for SSL cert? I call BS.
I know that the configs will be over written and MIAB is suppose to be KISS so anyone can set it up but it cannot be out of the realm of possibility to add the option to define seperate certificates and keys for each domain.


Have you tried to backup all the files located in /home/user-data/ssl (or $STORAGE_ROOT/ssl), wipe the whole directory. Copy your private key to /home/user-data/ssl/ssl_private_key.pem. And then run the setup/ This script should create you a certificate signing request and a self-signed cert. Now you can (hopefully) replace your valid and payed SSL cert with the self-signed certificate.

And for the other domain with another already valid certificate? (created with a new key and CSR)

Okay. I think this only works if you hardcode your nginx conf and give every server block his own private / public key.

Hey guys,

Sorry I couldn’t weigh in yesterday.

@ellisgeek Check out the files in /home/user-data/ssl. You can replace them as you need (including the private key) — just run mailinabox at the end to restart all of the necessary system services. The cert in that directory is for the box’s main hostname. Other domains the box knows about have subdirectories storing their certs. For the subdirectory domains, they by default use the same private key as the main cert (in /home/user-data/ssl) but you can create a file named private_key.pem (note it differs from the main private key) to provide a different private key for each domain if you need to. So e.g.:

-- private key for all certs (unless a domain-specific private key is given, see below)

-- certificate for (if a wildcard/multi-domain cert, will also be used for any domains it is good for)

-- if present, used as the private key for this domain (and, also, disables the automatic wildcard/multi-domain cert logic)

-- the certificate for this domain (if a wildcard/multi-domain cert is installed as the main cert and it is good for this domain, then this file will be ignored)

And, again, just be sure to run `mailinabox` after making changes, since many services will need to be restarted.
1 Like

Thanks! This is perfect!

Edit: Now my 2nd domain has disappeard from the ssl page. My mail address and dns records still exist though.

Hi @JoshData! Thanks for the tip about setting up our own certs. But… each time that I need to replace my domain cert I will have to re-run mailinabox command? I’m trying to achieve something more automatized, because my cert is auto-generated in another server and I would like to periodically fetch it.

What if after I fetched my cert, I manually restart postfix and dovecot?


I think I completely changed how SSL certificates are stored since the last post, when Let’s Encrypt support was added (two years ago?).

To install a SSL certificate, use the /admin control panel. You can spy on the control panel to see the underlying API, if needed.

I think you are storing them in the same place, because your previous instructions are still valid in the current version (0.26c). I will take a look under the hood.

Thank you!