How to make courier SSL certificates.

See http://milliwaysconsulting.net/support/systems/courier-ssl.html for original version.

We use courier imap for imap and pop connectivity. After a standard install you have to use 'mkimapdcert' and 'mkpop3dcert' to generate the SSL certificates. This will cause clients (such as outlook) to present the user with a window which says they cannot verify the authenticity of the certificate. There are two ways around this problem:

Send a CSR off to verisign or similar and purchase a real certificate 
Create your own CA and sign the imap/pop certificates with that. 
We already have our own CA certificate for use with apache so we chose to go with the second option.We will not cover creating your own CA Certificates here. The steps needed to create imap/pop certificates and sign them with our own CA are as follows:

Create a CSR for your pop and imap servers 
Sign the CSR with your CA Certificates 
Create a pem file suitable for use with courier imap 
Thanks & Links 
Create a CSR for your pop and imap servers
The first thing we need before we can generate a CSR is a key, ideally we do not want a pass phrase in this key. If we had one we would have to enter that phrase every time the pop & imap servers were started

# openssl genrsa -out milliways-mail.key 1024
Now that we have generated a key we need to use it to generate a CSR, we can do this with the following command:

# openssl req -new -key milliways-mail.key -config ../etc/imapd.cnf -out milliways-mail.csr
I have put all the information to include in the certificate in imapd.cnf, this means if you wont have to keep typing it should you need to create another csr. The contents of imapd.cnf is as follows:

RANDFILE = /usr/local/app/courier-imap-1.5.3/share/imapd.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=GB
ST=London
L=London
O=Milliways Consulting ltd
OU=mail server
CN=mail.milliwaysconsulting.net
emailAddress=cert@milliwaysconsulting.net

[ cert_type ]
nsCertType = server

 

Sign the CSR with your CA Certificates
Now we have a CSR we can either send it off to verisign or sign it with our own CA certificate. We are going to sign it with our own CA:

# sign.sh milliways-mail.csr
CA signing: milliways-mail.csr -> milliways-mail.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'GB'
stateOrProvinceName   :PRINTABLE:'London'
localityName          :PRINTABLE:'London'
organizationName      :PRINTABLE:'Milliways Consulting ltd'
organizationalUnitName:PRINTABLE:'mail server'
commonName            :PRINTABLE:'mail.milliwaysconsulting.net'
emailAddress          :IA5STRING:'cert@milliwaysconsulting.net'
Certificate is to be certified until May  2 13:20:12 2004 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: milliways-mail.crt <-> CA cert milliways-mail.crt: OK

 

Create a pem file suitable for use with courier imap
Now we have created a signed certificate we need to 'mangle' it slightly to make it work ok with courier. The first step is to remove the human readable version of the certificate which the signing process has inserted at the top of the new .crt file. Open it in an editor and remove everything down to the line which begins:

-----BEGIN CERTIFICATE-----
After you have removed that you need to put both the .key and .crt files into a .pem file for use with courier:

#cat milliways-mail.key milliways-mail.crt > milliways-mail.pem
The last step in preparing this certificate for use with courier is to add the Diffie-Hellman code to the .pem file:

# openssl gendh >> milliways-mail.pem Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ....................................+ 
Merge your CA Certificate with outlook/mozilla
I have covered merging a CA Certificate with a browser here
Dette indlæg blev udgivet i Knowledge Base, Networking, Old Base. Bogmærk permalinket.

Skriv et svar