Updating certs for Postfix and Courier

I wanted to post a procedure on updating certs for Postfix and Courier POP. I do this and forget, so this will be nice for the next time.

First I delete the ‘demoCA’ directory

rm -rf /etc/ssl/misc/demoCA

Then I edit the script since this may have been overwritten on openssl update.

vi /etc/ssl/misc/
add nodes (newca)
print "Making CA certificate ...\n";
system ("$REQ -new -nodes -x509 -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");

add nodes (newcert)

# create a certificate
system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS");

add nodes ad replace newkey handling (newreq)

# create a certificate request
#system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");

Create the certs…

cd /etc/ssl/misc
./ -newca
./ -newreq
./ -sign

UPDATE 4/6/2021
When I did the -newreq, I received the following error:

“Ignoring -days; not generating a certificate” – and because of this newreq.pem was empty. I had to edit and set

#my $DAYS = "-days 365";
my $DAYS = "";

Copy the certs into postfix certs directory.

cp newcert.pem /etc/postfix/certs/newcert[date].pem
cp newreq.pem /etc/postfix/certs/newreq[date].pem
cp demoCA/cacert.pem /etc/postfix/certs/cacert[date].pem

Make sure you edit the /etc/postfix/ with new cert locations.

smtpd_tls_key_file = /etc/postfix/certs/newreq081906.pem
smtpd_tls_cert_file = /etc/postfix/certs/newcert081906.pem
smtpd_tls_CAfile = /etc/postfix/certs/cacert081906.pem

Restart postfix and watch the mail.log

/etc/init.d/postfix restart; tail -f /var/log/mail.log

test sending email.. you should receive a ‘changed’ cert notice, accept.. you should be good.

To create new certs for courier, issue the following command (assuming that you’ve already updated /etc/courier-imap/pop3d.cnf with appropriate values) mkpop3dcert.

UPDATE – running into issues with mkpop3dcert

Generating a RSA private key
writing new private key to '/etc/courier-imap/pop3d.pem'
Invalid command 'gendh'; type "help" for a list.


Looks like mkpop3dcert still references gendh, but current version of openssl doesn’t have that. I had to comment out that line in /usr/sbin/mkpop3dcert. Not sure if I needed the DH PARAMETERS, but I copied it from the previous cert and added it at the end. I’m sure courier-imap will fix this.