View your /usr/local/etc/imapd-ssl file for the following lines:
COURIERTLS=/usr/local/bin/couriertls ... TLS_CERTFILE=/usr/local/share/imapd.pem
So now we now that the certificate is stored in the following file:
/usr/local/share/imapd.pem
Another important file is:
/usr/local/etc/imapd.cnf
This file stores information for certificate generation:
RANDFILE = /usr/local/share/imapd.rand [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=SK ST=Slovakia L=Bratislava O=Courier Mail Server OU=IMAP SSL key CN=yourhostname emailAddress=your@email [ cert_type ] nsCertType = server
Next we need to find a program which you can use to generate new certificate:
# which mkimapdcert /usr/local/sbin/mkimapdcert
This program takes values from imapd.cnf and creates custom certificate.
OPTIONAL: Change number of days the certificate will be valid.
# vi ./mkimapdcert
Edit mkimapdcer shell script and add the following two lines to the beginning:
# 3 years DAYS=1095
Next change the following line:
/usr/bin/openssl req -new -x509 -days 365 -nodes \
to:
/usr/bin/openssl req -new -x509 -days $DAYS -nodes \
Now you are almost ready to generate a new certificate.
IMPORTANT: Before creating a new certificate, erase the old one, because the new one will not been created.
# rm /usr/local/share/imapd.pem
And now finally generate the certificate:
# cd /usr/local/sbin/ # ./mkimapdcert
Generating a 1024 bit RSA private key ...++++++ .......++++++ writing new private key to '/usr/local/share/imapd.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time .........+.+..+......................+................................... ..........+......+....................+.........+................+....... ................+..........+.............+.++*++*++*++*++*++* subject= /C=SK/ST=Slovakia/L=Bratislava/O=Courier Mail Server/OU=IMAP SSL key/CN=yourhostname/emailAddress=your@email notBefore=Aug 8 12:21:49 2008 GMT notAfter=Aug 8 12:21:49 2011 GMT SHA1 Fingerprint=...
Do the same thing for POP3d. Check the location of POP3d certificate in /usr/local/etc/pop3d-ssl – it should say something like:
TLS_CERTFILE=/usr/local/share/pop3d.pem
The application for new certificate is called ‘mkpop3dcert‘. Before executing do not forget to delete the old certificate and optionally prolong the certificate expiration time (so you do not need to renew it every year ;).
# /usr/local/sbin/mkpop3dcert Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to '/usr/local/share/pop3d.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ............+....+.......+......+..................................+....+....... .........+.........+............................................................ .................................................+..+.+........+......+......... ......................................+.+................................+...... ..+..............+...............................+........+..................... ...............+.........+....+.............+..........................+........ .......+..+...............+..................................................... ......................+...............................+........+..........+..... ....+......+.....+....+....................+......+............................. ........................+...............................+.......+............... ..................+.....+..................+....+.+............................. ......+.......+............+.............................+.+.................+.. ..........................................+.............+......+........+....... ..................................+............................................. ...+........+.....................++*++*++*++*++*++* subject= /C=SK/ST=Slovakia/L=Bratislava/O=Courier Mail Server/OU=POP3 SSL key/CN=yourhostname/emailAddress=youremail notBefore=Aug 8 12:21:55 2008 GMT notAfter=Aug 8 12:21:55 2011 GMT SHA1 Fingerprint=...
That’s it! Now you have two new certificates both for Cyrus IMAPd and POP3d.
References: