Tonight, I logged into my email only to discover my SSL certificate had expired! So I logged into SSH to create a new one, only to find out how hard it is! So now that I’m done and it’s working all nice and proper, I’d like to share my knowledge. I’ve obtained parts of this tutorial from various websites.
cd /root mkdir sslcert chmod 0700 sslcert cd sslcert mkdir certs private echo '100001' >serial touch certindex.txt
Now the base structure is created, we make a configuration file for OpenSSL
# # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash
And now we create a “root” certificate which all others will be based off of
openssl req -new -x509 -extensions v3_ca -keyout \ private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.
Create a key and signing request
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
Common name should be your imap server url (imap.northernlightstechnology.ca for instance).
Sign the request
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
Make the proper IMAP .pem file
cat private/name-key.pem > ssl.pem
Now you need to edit name-cert.pem and copy —–BEGIN CERTIFICATE—– and everything below it to your ssl.pem file which should look like this when it’s done
-----BEGIN RSA PRIVATE KEY----- .... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Move it to the courier directory
This is different according to your system setup but for me it was
cp ssl.pem /etc/courier-imap/ssl.pem
Restart Courier
And now you are done!