Updating certs for Postfix and Courier

I wanted to post a procedure on updating certs for Postfix and Courier POP. I do this and forget, so this will be nice for the next time.

First I delete the ‘demoCA’ directory

rm -rf /etc/ssl/misc/demoCA

Then I edit the script since this may have been overwritten on openssl update.

vi /etc/ssl/misc/
add nodes (newca)
print "Making CA certificate ...\n";
system ("$REQ -new -nodes -x509 -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");

add nodes (newcert)

# create a certificate
system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS");

add nodes ad replace newkey handling (newreq)

# create a certificate request
#system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");

Create the certs…

cd /etc/ssl/misc
./ -newca
./ -newreq-nodes
./ -sign

UPDATE 4/9/2022
I used ./ -newreq-nodes for request.

Additionally, I received these errors:

Apr 9 18:11:15 postfix/smtpd[5459]: warning: cannot get RSA private key from file "/etc/postfix/certs/newreq220409.pem": disabling TLS support
Apr 9 18:11:15 postfix/smtpd[5459]: warning: TLS library problem: error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY:
Apr 9 18:11:15 postfix/smtpd[5459]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM

To fix this I had to prepend newkey.pem to newreq.pem


UPDATE 4/6/2021
When I did the -newreq, I received the following error:

“Ignoring -days; not generating a certificate” – and because of this newreq.pem was empty. I had to edit and set

#my $DAYS = "-days 365";
my $DAYS = "";

Copy the certs into postfix certs directory.

cp newcert.pem /etc/postfix/certs/newcert[date].pem
cp newreq.pem /etc/postfix/certs/newreq[date].pem
cp demoCA/cacert.pem /etc/postfix/certs/cacert[date].pem

Make sure you edit the /etc/postfix/ with new cert locations.

smtpd_tls_key_file = /etc/postfix/certs/newreq081906.pem
smtpd_tls_cert_file = /etc/postfix/certs/newcert081906.pem
smtpd_tls_CAfile = /etc/postfix/certs/cacert081906.pem

Restart postfix and watch the mail.log

/etc/init.d/postfix restart; tail -f /var/log/mail.log

test sending email.. you should receive a ‘changed’ cert notice, accept.. you should be good.

To create new certs for courier, issue the following command (assuming that you’ve already updated /etc/courier-imap/pop3d.cnf with appropriate values) mkpop3dcert.

UPDATE – running into issues with mkpop3dcert

Generating a RSA private key
writing new private key to '/etc/courier-imap/pop3d.pem'
Invalid command 'gendh'; type "help" for a list.


Looks like mkpop3dcert still references gendh, but current version of openssl doesn’t have that. I had to comment out that line in /usr/sbin/mkpop3dcert. Not sure if I needed the DH PARAMETERS, but I copied it from the previous cert and added it at the end. I’m sure courier-imap will fix this.