Using an OpenSSL certificate for Courier IMAP

Courier IMAP has a default certificate for SLL communication, but it’s only valid for a year and has bogus, default information in it. You can use a utility to generate a new certificate and, with a little perseverance, find the configuration file from which it draws its parameters. With these parameters, you can make a slightly better certificate, but it’s better to use OpenSSL to generate a proper certificate, based either on a trusted certificate or self-signed. However, OpenSSL’s default output does not include the combined private key/certificate file expected by Courier. To do that, I adapted the instructions found in Courier IMAP SSL Certificate Installation to create the combined PEM file and reference it from the courier configuration file.

In my case, I just re-used the certificates I’d already generated for TLS SMTP access with Postfix, which I’d stored at /etc/postfix/keys/. All instructions are for a Debian Etch installation. Open a text editor and paste the contents of the primary certificate and the private key one after another in the following order:

1. The Primary Certificate (server.crt)
2. The Private Key (server.key)

Include the BEGIN and END tags on each. The result should look like this:

—–BEGIN CERTIFICATE—– 
(Your Primary SSL certificate: server.crt) 
—–END CERTIFICATE—– 
—–BEGIN RSA PRIVATE KEY—– 
(Your Private Key: server.key) 
—–END RSA PRIVATE KEY—– 

Save the combined file as server.pem.

Finally, open the /etc/courier/imapd-ssl file and update the following value to reference the new PEM file.

TLS_CERTFILE=/etc/postfix/keys/server.pem

Restart the Courier server by executing /etc/init.d/courier-imap-ssl restart and you’re done.