Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki:

"The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order:

Issuing CA cert
Issuing CA CRL
Intermediate CA cert
Intermediate CA CRL
Root CA cert
Root CA CRL"

On 2015/2/16 06:42, Wolfgang Gross wrote:

On 16 Feb 2015 at 21:59, Nick Edwards wrote:

...

This directory in later times is where more and more distros are putting system wide server CA type certs, most distros are moving to this path, so the package maintainer should fix their script, maybe to /etc/ssl/private or such.

Maybe not in /etc/ssl/private for security reasons? 10-ssl.conf uses the same file name for certificate and private key; better change this, too.

...

On 2/16/15, Wolfgang Gross <WGross@uni-hd.de> wrote:

...

Hi,

this is not a genuine Dovecot bug, more a nuisance. It applies to OpenSuse 13.2 but maybe also to other Linux's.

The standard installation of Dovecot (especially 10-ssl.conf) places the certificate dovecot.pem in /etc/ssl/certs. Sometimes during updates does OpenSuse renew all certificates in /etc/ssl/certs and erases dovecot.pem. This blocks further access to the mailbox.

I found a similar report here: https://bbs.archlinux.de/viewtopic.php?id=27288