Updating certs for Postfix and Courier

I wanted to post a procedure on updating certs for Postfix and Courier POP. I do this and forget, so this will be nice for the next time.

First I delete the ‘demoCA’ directory

rm -rf /etc/ssl/misc/demoCA

Then I edit the CA.pl script since this may have been overwritten on openssl update.

vi /etc/ssl/misc/CA.pl
add nodes (newca)
print “Making CA certificate …\n”;
system (“$REQ -new -nodes -x509 -keyout ” .
“${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS”);
$RET=$?;

add nodes (newcert)
# create a certificate
system (“$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS”);

add nodes ad replace newkey handling (newreq)
# create a certificate request
#system (“$REQ -new -keyout newkey.pem -out newreq.pem $DAYS”);
system (“$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS”);

Create the certs…

cd /etc/ssl/misc
./CA.pl -newca
./CA.pl -newreq
./CA.pl -sign

Copy the certs into postfix certs directory.

cp newcert.pem /etc/postfix/certs/newcert[date].pem
cp newreq.pem /etc/postfix/certs/newreq[date].pem
cp demoCA/cacert.pem /etc/postfix/certs/cacert[date].pem

Make sure you edit the /etc/postfix/main.cf with new cert locations.

smtpd_tls_key_file = /etc/postfix/certs/newreq081906.pem
smtpd_tls_cert_file = /etc/postfix/certs/newcert081906.pem
smtpd_tls_CAfile = /etc/postfix/certs/cacert081906.pem

Restart postfix and watch the mail.log

/etc/init.d/postfix restart; tail -f /var/log/mail.log

test sending email.. you should receive a ‘changed’ cert notice, accept.. you should be good.

To create new certs for courier, issue the following command (assuming that you’ve already updated /etc/courier-imap/pop3d.cnf with appropriate values) mkpop3dcert.

UPDATE – running into issues with mkpop3dcert

Generating a RSA private key
………………………………….+++++
…………………………..+++++
writing new private key to ‘/etc/courier-imap/pop3d.pem’
—–
Invalid command ‘gendh’; type “help” for a list.

 

Looks like mkpop3dcert still references gendh, but current version of openssl doesn’t have that. I had to comment out that line in /usr/sbin/mkpop3dcert. Not sure if I needed the DH PARAMETERS, but I copied it from the previous cert and added it at the end. I’m sure courier-imap will fix this.