Unifix knowledge database - The original oneDashboard - News - Search - List - About - Admin
How to make courier SSL certificates.
See http://milliwaysconsulting.net/support/systems/courier-ssl.html for original version. We use courier imap for imap and pop connectivity. After a standard install you have to use 'mkimapdcert' and 'mkpop3dcert' to generate the SSL certificates. This will cause clients (such as outlook) to present the user with a window which says they cannot verify the authenticity of the certificate. There are two ways around this problem: Send a CSR off to verisign or similar and purchase a real certificate Create your own CA and sign the imap/pop certificates with that. We already have our own CA certificate for use with apache so we chose to go with the second option.We will not cover creating your own CA Certificates here. The steps needed to create imap/pop certificates and sign them with our own CA are as follows: Create a CSR for your pop and imap servers Sign the CSR with your CA Certificates Create a pem file suitable for use with courier imap Thanks & Links Create a CSR for your pop and imap servers The first thing we need before we can generate a CSR is a key, ideally we do not want a pass phrase in this key. If we had one we would have to enter that phrase every time the pop & imap servers were started # openssl genrsa -out milliways-mail.key 1024 Now that we have generated a key we need to use it to generate a CSR, we can do this with the following command: # openssl req -new -key milliways-mail.key -config ../etc/imapd.cnf -out milliways-mail.csr I have put all the information to include in the certificate in imapd.cnf, this means if you wont have to keep typing it should you need to create another csr. The contents of imapd.cnf is as follows: RANDFILE = /usr/local/app/courier-imap-1.5.3/share/imapd.rand [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=GB ST=London L=London O=Milliways Consulting ltd OU=mail server CN=mail.milliwaysconsulting.net emailAddressemail@example.com [ cert_type ] nsCertType = server Sign the CSR with your CA Certificates Now we have a CSR we can either send it off to verisign or sign it with our own CA certificate. We are going to sign it with our own CA: # sign.sh milliways-mail.csr CA signing: milliways-mail.csr -> milliways-mail.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'GB' stateOrProvinceName :PRINTABLE:'London' localityName :PRINTABLE:'London' organizationName :PRINTABLE:'Milliways Consulting ltd' organizationalUnitName:PRINTABLE:'mail server' commonName :PRINTABLE:'mail.milliwaysconsulting.net' emailAddress :IA5STRING:'firstname.lastname@example.org' Certificate is to be certified until May 2 13:20:12 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: milliways-mail.crt <-> CA cert milliways-mail.crt: OK Create a pem file suitable for use with courier imap Now we have created a signed certificate we need to 'mangle' it slightly to make it work ok with courier. The first step is to remove the human readable version of the certificate which the signing process has inserted at the top of the new .crt file. Open it in an editor and remove everything down to the line which begins: -----BEGIN CERTIFICATE----- After you have removed that you need to put both the .key and .crt files into a .pem file for use with courier: #cat milliways-mail.key milliways-mail.crt > milliways-mail.pem The last step in preparing this certificate for use with courier is to add the Diffie-Hellman code to the .pem file: # openssl gendh >> milliways-mail.pem Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ....................................+ Merge your CA Certificate with outlook/mozilla I have covered merging a CA Certificate with a browser here
Dashboard - News - Search - List - About - Admin
Powered by Mikjaer Consulting Solutions - Hosted by Specialhosting.dk