Courier IMAP SSL Certificates

Tonight, I logged into my email only to discover my SSL certificate had expired! So I logged into SSH to create a new one, only to find out how hard it is! So now that I’m done and it’s working all nice and proper, I’d like to share my knowledge. I’ve obtained parts of this tutorial from various websites.

cd /root
mkdir sslcert
chmod 0700 sslcert
cd sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt

Now the base structure is created, we make a configuration file for OpenSSL

#
# OpenSSL configuration file.
#

# Establish working directory.

dir					= .

[ ca ]
default_ca				= CA_default

[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match

[ policy_match ]
countryName				= match
stateOrProvinceName			= match
organizationName			= match
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional

[ req ]
default_bits				= 1024			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req

[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Organization Name (company)
organizationalUnitName			= Organizational Unit Name (department, division)
emailAddress				= Email Address
emailAddress_max			= 40
localityName				= Locality Name (city, district)
stateOrProvinceName			= State or Province Name (full name)
countryName				= Country Name (2 letter code)
countryName_min				= 2
countryName_max				= 2
commonName				= Common Name (hostname, IP, or your name)
commonName_max				= 64

# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= My Company
localityName_default			= My Town
stateOrProvinceName_default		= State or Providence
countryName_default			= US

[ v3_ca ]
basicConstraints			= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always

[ v3_req ]
basicConstraints			= CA:FALSE
subjectKeyIdentifier			= hash

And now we create a “root” certificate which all others will be based off of

openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.

Create a key and signing request

openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf

Common name should be your imap server url (imap.northernlightstechnology.ca for instance).

Sign the request

openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem

Make the proper IMAP .pem file

cat private/name-key.pem > ssl.pem

Now you need to edit name-cert.pem and copy —–BEGIN CERTIFICATE—– and everything below it to your ssl.pem file which should look like this when it’s done

-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Move it to the courier directory

This is different according to your system setup but for me it was

cp ssl.pem /etc/courier-imap/ssl.pem

Restart Courier

And now you are done!

Leave a Reply