Using an OpenSSL certificate for Courier IMAP
Published by marco on
Courier IMAP has a default certificate for SLL communication, but it’s only valid for a year and has bogus, default information in it. You can use a utility to generate a new certificate and, with a little perseverance, find the configuration file from which it draws its parameters. With these parameters, you can make a slightly better certificate, but it’s better to use OpenSSL to generate a proper certificate, based either on a trusted certificate or self-signed. However, OpenSSL’s default output does not include the combined private key/certificate file expected by Courier. To do that, I adapted the instructions found in Courier IMAP SSL Certificate Installation to create the combined PEM file and reference it from the courier configuration file.
In my case, I just re-used the certificates I’d already generated for TLS SMTP access with Postfix, which I’d stored at /etc/postfix/keys/
. All instructions are for a Debian Etch installation. Open a text editor and paste the contents of the primary certificate and the private key one after another in the following order:
- The Primary Certificate (server.crt)
- The Private Key (server.key)
Include the BEGIN
and END
tags on each. The result should look like this:
—–BEGIN CERTIFICATE—–
(Your Primary SSL certificate: server.crt)
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
(Your Private Key: server.key)
—–END RSA PRIVATE KEY—–
Save the combined file as server.pem
.
Finally, open the /etc/courier/imapd-ssl
file and update the following value to reference the new PEM file.
TLS_CERTFILE=/etc/postfix/keys/server.pem
Restart the Courier server by executing /etc/init.d/courier-imap-ssl restart
and you’re done.