I wanted to post a procedure on updating certs for Postfix and Courier POP. I do this and forget, so this will be nice for the next time.
First I delete the ‘demoCA’ directory
rm -rf /etc/ssl/misc/demoCA
Then I edit the CA.pl script since this may have been overwritten on openssl update.
vi /etc/ssl/misc/CA.pl
add nodes (newca)
print "Making CA certificate ...\n";
system ("$REQ -new -nodes -x509 -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
$RET=$?;
add nodes (newcert)
# create a certificate
system ("$REQ -new -nodes -x509 -keyout newkey.pem -out newcert.pem $DAYS");
add nodes ad replace newkey handling (newreq)
# create a certificate request
#system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
Create the certs…
cd /etc/ssl/misc
./CA.pl -newca
./CA.pl -newreq
./CA.pl -sign
Copy the certs into postfix certs directory.
cp newcert.pem /etc/postfix/certs/newcert[date].pem
cp newreq.pem /etc/postfix/certs/newreq[date].pem
cp demoCA/cacert.pem /etc/postfix/certs/cacert[date].pem
Make sure you edit the /etc/postfix/main.cf with new cert locations.
smtpd_tls_key_file = /etc/postfix/certs/newreq081906.pem
smtpd_tls_cert_file = /etc/postfix/certs/newcert081906.pem
smtpd_tls_CAfile = /etc/postfix/certs/cacert081906.pem
Restart postfix and watch the mail.log
/etc/init.d/postfix restart; tail -f /var/log/mail.log
test sending email.. you should receive a ‘changed’ cert notice, accept.. you should be good.
To create new certs for courier, issue the following command (assuming that you’ve already updated /etc/courier-imap/pop3d.cnf with appropriate values) mkpop3dcert.
UPDATE – running into issues with mkpop3dcert
Generating a RSA private key
........................................+++++
................................+++++
writing new private key to '/etc/courier-imap/pop3d.pem'
-----
Invalid command 'gendh'; type "help" for a list.
Looks like mkpop3dcert still references gendh, but current version of openssl doesn’t have that. I had to comment out that line in /usr/sbin/mkpop3dcert. Not sure if I needed the DH PARAMETERS, but I copied it from the previous cert and added it at the end. I’m sure courier-imap will fix this.