Certificate Hell


Yeah I'm gonna burn out doing blogs soon enough. But I have so much to say! Earlier was just a follow up to yesterday so here is what I've been working on since noon.

Well last year around Thanksgiving my email server secure certificates expired and so I dreaded having to re-learn how to do this. I figured renewing would be cake. I really couldn't find much in howto's for doing this. So last year I just created a new one and oddly with an expired CA to the best of my knowledge. At any rate I just did a one year since I figured I would/should have upgraded or moved on by this time now. Trust me I have been trying to but very slowly. So I found a howto for renewing your certs. First off I followed the directions and all was swell. Then trying to get Thunderbird (TB) to take/see the new certs didn't fare as well. Then I found that my CA expired in like August of 2004! Then after creating new ca and certs TB still didn't see the new one. Aha! Forgot about the flip side of SMTP... IMAP. I thought I would cheat and just do a symlink to the existing postfix cert but that didn't go well. Then I found the makeimapcert script and used that to renew one more year.

Trust me last year went much better but that was only because that was when I installed courier. So with this blog... maybe my documentation will help me get this figured out with less pain next year if I haven't moved in to a new home by then.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Worzie's picture

Okay... so what am I doing here a year later?

Call me the chief procrastinator! Yeah yeah yeah, I still haven't moved on from this FC3 server and got caught with another expired cert. Question is... "has this blog from last year helped any?"

So far I'm not finding the mentioned "makeimapcert" script even after doing a 'updatedb'. Then after having to research more, I find I spelled it wrong; should be 'mkimapdcert' rather.

cd /usr/lib/courier-imap/share/
mv imapd.pem imapd.pem.old

Fill in the cert and done! I restart my TB client and inspect the cert permanently accepting it.

Better luck next year!

Worzie's picture

Again I'm back after three years

Yet another piece I forgot to add in the routine mix:

cd /etc/postfix
mv smtpd.cert smtpd.cert.old1
mv smtpd.key smtpd.key.old1
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
chmod 640 smtpd.key
chown root.postfix smtpd.key smtpd.cert

Open Certificates

Awhile back I ran across this CA, which aims to offer trusted certificates for free. There are various levels of certificates, each with increasing identity requirements.


The root certificate isn't included in most mainstream browsers yet, but can be easily added. IMHO, it's better than self-generated.

Scott Dowdle's picture

My reference for certificate creation?

I've only worked with one pay certificate and all of the rest I have self-signed... but yes, they can be a pain in the butt. I really don't like having to regenerate them every year so I usually modify the script that makes them so it will generate a certificate good for 3 to 5 years.

For reference materials, I always find myself going back to the RHEL documentation or when I'm in a hurry, a quick RH Knowledgebase search:

Related RH Knowledgebase Posts:

> How do I create a self-signed certificate for Apache?

> How do I configure imaps and pop3s in dovecot?

> How can I create self-signed SSL certificates for use with Postfix on Red Hat Enterprise Linux 4?

> How do I configure Sendmail to use SSL encryption for sending/receiving email?

To modify the length of time, just edit the Makefile and change -days 365 to whatever you want.

Scott Dowdle

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.