View your /usr/local/etc/imapd-ssl file for the following lines:

COURIERTLS=/usr/local/bin/couriertls
...
TLS_CERTFILE=/usr/local/share/imapd.pem

So now we now that the certificate is stored in the following file:

  /usr/local/share/imapd.pem

Another important file is:

  /usr/local/etc/imapd.cnf

This file stores information for certificate generation:

RANDFILE = /usr/local/share/imapd.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=SK
ST=Slovakia
L=Bratislava
O=Courier Mail Server
OU=IMAP SSL key
CN=yourhostname
emailAddress=your@email
[ cert_type ]
nsCertType = server

Next we need to find a program which you can use to generate new certificate:

# which mkimapdcert
/usr/local/sbin/mkimapdcert

This program takes values from imapd.cnf and creates custom certificate.

OPTIONAL: Change number of days the certificate will be valid.

# vi ./mkimapdcert

Edit mkimapdcer shell script and add the following two lines to the beginning:

  # 3 years
  DAYS=1095

Next change the following line:

  /usr/bin/openssl req -new -x509 -days 365 -nodes \

to:

  /usr/bin/openssl req -new -x509 -days $DAYS -nodes \

Now you are almost ready to generate a new certificate.

IMPORTANT: Before creating a new certificate, erase the old one, because the new one will not been created.

# rm /usr/local/share/imapd.pem

And now finally generate the certificate:

# cd /usr/local/sbin/
# ./mkimapdcert
Generating a 1024 bit RSA private key
...++++++
.......++++++
writing new private key to '/usr/local/share/imapd.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
.........+.+..+......................+...................................
..........+......+....................+.........+................+.......
................+..........+.............+.++*++*++*++*++*++*
subject= /C=SK/ST=Slovakia/L=Bratislava/O=Courier Mail Server/OU=IMAP SSL key/CN=yourhostname/emailAddress=your@email
notBefore=Aug  8 12:21:49 2008 GMT
notAfter=Aug  8 12:21:49 2011 GMT
SHA1 Fingerprint=...

Do the same thing for POP3d. Check the location of POP3d certificate in /usr/local/etc/pop3d-ssl – it should say something like:

TLS_CERTFILE=/usr/local/share/pop3d.pem

The application for new certificate is called ‘mkpop3dcert‘. Before executing do not forget to delete the old certificate and optionally prolong the certificate expiration time (so you do not need to renew it every year ;).

# /usr/local/sbin/mkpop3dcert
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to '/usr/local/share/pop3d.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
............+....+.......+......+..................................+....+.......
.........+.........+............................................................
.................................................+..+.+........+......+.........
......................................+.+................................+......
..+..............+...............................+........+.....................
...............+.........+....+.............+..........................+........
.......+..+...............+.....................................................
......................+...............................+........+..........+.....
....+......+.....+....+....................+......+.............................
........................+...............................+.......+...............
..................+.....+..................+....+.+.............................
......+.......+............+.............................+.+.................+..
..........................................+.............+......+........+.......
..................................+.............................................
...+........+.....................++*++*++*++*++*++*
subject= /C=SK/ST=Slovakia/L=Bratislava/O=Courier Mail Server/OU=POP3 SSL key/CN=yourhostname/emailAddress=youremail
notBefore=Aug  8 12:21:55 2008 GMT
notAfter=Aug  8 12:21:55 2011 GMT
SHA1 Fingerprint=...

That’s it! Now you have two new certificates both for Cyrus IMAPd and POP3d.

References:

Creating new certificate for Cyrus POP3d and IMAPd

Leave a Reply

Your email address will not be published.