SSL: Certificate Management
Problem Statement
After a year of good and loyal service, your Courier (POP3 or IMAP) server fails due to a simple SSL problem! Yes, after a year, certificates expire!
Preparation
We need to generate new certificates. First, let’s go to the right location:
|
|
Then, we delete the old one:
|
|
Generation
Automatic
If you decide to simply renew this certificate every year, edit the “.cnf” file and fill it out correctly. Here’s an example:
|
|
Then, run the certificate regeneration command:
|
|
You should see something like this:
generating a 1024 bit RSA private key
...........................++++++
.++++++
writing new private key to '/usr/lib/courier/imapd.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
.....................+.........................+..........+.....................
....+...............+........+............................................+..+..
.................................+....+................................+...+....
....................+...........................................................
.+...........................+..........+........................+..............
............+............++*++*++*++*++*++*
Manual
To create your key manually, here’s the command that will generate the key:
|
|
Replace pop3.pem with imap.pem if you’re using IMAP (adapt as needed). 1024 corresponds to the number of encryption bits. Increase if necessary.
Then, you have two options:
- Self-signature
- Signature from an authority
Self-signature
The -x509 option is used for self-signing:
|
|
- 365: number of days before expiration
- pop3d.pem: certificate to sign
- pop3d.crt: certificate acting as authority
Signature from an authority
Here’s an example:
|
|
- 365: number of days before expiration
- pop3d.pem: certificate to sign
- pop3d.crt: authoritative certificate, you should insert the certificate provided by the authority here
Applying New Certificates
To apply these new certificates, simply restart the appropriate services. Example:
|
|
Modifying the Automatic Certificate Generation Script
As we saw above for automatic certificate generation, we run a script. But if we want to change the content slightly to have, for example, 2 or 3 years of grace period, it’s convenient, even if not recommended.
Let’s edit the file /usr/lib/courier/mkpop3dcert
:
|
|
Now that you’ve reached this point, you should better understand which options to modify.
Resources
Last updated 08 Jul 2007, 21:33 CEST.