How to manually create a new certificate for uw-imap and ipop?

[TheMike]

I installed Debian 3.1 on a machine according to your Perfect setup HOWTO!

Now I have most of it working but I would like to update the two following files:
/etc/ssl/certs/imapd.pem
/etc/ssl/certs/ipo3d.pem
because they are incorrect.
I did not install ISPConfig and I also don't want to use it. (for this specific machine)
So I have to create these certificates manually.

Can someone show me the right step or syntax to do this?

[falko]

Please run

Code:

updatedb
locate imap
locate ipop

and post the output here.

[TheMike]

output from: locate imap

Code:

/etc/apache2/mods-available/imap.load
/etc/logcheck/ignore.d.paranoid/imap
/etc/logcheck/ignore.d.server/imapproxy
/etc/logcheck/ignore.d.server/uw-imapd
/etc/pam.d/imap
/etc/ssl/certs/imapd.pem
/lib/modules/2.6.8-2-386/modules.pcimap
/usr/include/c++/3.3/backward/multimap.h
/usr/include/c++/3.3/bits/stl_multimap.h
/usr/lib/apache2/modules/mod_imap.so
/usr/lib/mon/mon.d/imap.monitor
/usr/lib/php4/20020429/imap.so
/usr/lib/python2.3/imaplib.py
/usr/lib/python2.3/imaplib.pyc
/usr/lib/python2.3/imaplib.pyo
/usr/sbin/imapd
/usr/share/doc/apache2-doc/manual/mod/mod_imap.html
/usr/share/doc/apache2-doc/manual/mod/mod_imap.html.en
/usr/share/doc/apache2-doc/manual/mod/mod_imap.html.ko.euc-kr
/usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.gz
/usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.ko.gz
/usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.meta
/usr/share/doc/HOWTO/en-txt/Qmail-VMailMgr-Courier-imap-HOWTO.gz
/usr/share/doc/libc-client2002edebian/imaprc.txt.gz
/usr/share/doc/php4-imap
/usr/share/doc/uw-imapd
/usr/share/doc/uw-imapd/bugs.txt.gz
/usr/share/doc/uw-imapd/buildinfo.gz
/usr/share/doc/uw-imapd/changelog.Debian.gz
/usr/share/doc/uw-imapd/copyright
/usr/share/doc/uw-imapd/NEWS.Debian.gz
/usr/share/doc/uw-imapd/README.Debian
/usr/share/doc/uw-imapd/RELNOTES.gz
/usr/share/doc/uw-imapd-ssl
/usr/share/doc/uw-imapd-ssl/buildinfo.gz
/usr/share/doc/uw-imapd-ssl/changelog.Debian.gz
/usr/share/doc/uw-imapd-ssl/copyright
/usr/share/doc/uw-imapd-ssl/NEWS.Debian.gz
/usr/share/doc/uw-imapd-ssl/README.Debian
/usr/share/doc/uw-imapd/TODO.Debian
/usr/share/linda/overrides/uw-imapd
/usr/share/lintian/overrides/php4-imap
/usr/share/lintian/overrides/uw-imapd
/usr/share/man/man8/imapd.8C.gz
/usr/share/webmin/apache/mod_imap.pl
/var/cache/apt/archives/php4-imap_4%3a4.3.10-16_i386.deb
/var/cache/apt/archives/uw-imapd-ssl_7%3a2002edebian1-11sarge1_all.deb
/var/lib/dpkg/info/php4-imap.config
/var/lib/dpkg/info/php4-imap.list
/var/lib/dpkg/info/php4-imap.md5sums
/var/lib/dpkg/info/php4-imap.postinst
/var/lib/dpkg/info/php4-imap.postrm
/var/lib/dpkg/info/php4-imap.prerm
/var/lib/dpkg/info/php4-imap.templates
/var/lib/dpkg/info/uw-imapd.conffiles
/var/lib/dpkg/info/uw-imapd.config
/var/lib/dpkg/info/uw-imapd.list
/var/lib/dpkg/info/uw-imapd.md5sums
/var/lib/dpkg/info/uw-imapd.postinst
/var/lib/dpkg/info/uw-imapd.postrm
/var/lib/dpkg/info/uw-imapd.preinst
/var/lib/dpkg/info/uw-imapd-ssl.list
/var/lib/dpkg/info/uw-imapd-ssl.md5sums
/var/lib/dpkg/info/uw-imapd.templates

output from: locate ipop

Code:

/etc/logcheck/ignore.d.server/ipopd
/etc/ssl/certs/ipop3d.pem
/usr/sbin/ipop2d
/usr/sbin/ipop3d
/usr/share/doc/ipopd
/usr/share/doc/ipopd/buildinfo.gz
/usr/share/doc/ipopd/changelog.Debian.gz
/usr/share/doc/ipopd/copyright
/usr/share/doc/ipopd/NEWS.Debian.gz
/usr/share/doc/ipopd/README.Debian
/usr/share/doc/ipopd-ssl
/usr/share/doc/ipopd-ssl/buildinfo.gz
/usr/share/doc/ipopd-ssl/changelog.Debian.gz
/usr/share/doc/ipopd-ssl/copyright
/usr/share/doc/ipopd-ssl/NEWS.Debian.gz
/usr/share/doc/ipopd-ssl/README.Debian
/usr/share/linda/overrides/ipopd
/usr/share/lintian/overrides/ipopd
/usr/share/man/man8/ipop2d.8C.gz
/usr/share/man/man8/ipop3d.8C.gz
/usr/share/man/man8/ipopd.8C.gz
/var/cache/apt/archives/ipopd_7%3a2002edebian1-11sarge1_i386.deb
/var/cache/apt/archives/ipopd-ssl_7%3a2002edebian1-11sarge1_all.deb
/var/lib/dpkg/info/ipopd.conffiles
/var/lib/dpkg/info/ipopd.config
/var/lib/dpkg/info/ipopd.list
/var/lib/dpkg/info/ipopd.md5sums
/var/lib/dpkg/info/ipopd.postinst
/var/lib/dpkg/info/ipopd.postrm
/var/lib/dpkg/info/ipopd.preinst
/var/lib/dpkg/info/ipopd-ssl.list
/var/lib/dpkg/info/ipopd-ssl.md5sums
/var/lib/dpkg/info/ipopd.templates

[falko]

Hm, I thought there might be a program that allows to re-create the certificates, but obviously there isn't for imapd and ipop3d. For Courier there's such a program...

[TheMike]

I think I managed it without the help of a tool!

This example is for Debian 3.1 and worked for me, it is neccesary to create your own Certificate Authority (CA) and sign it yourself or otherwise purchase a "real" X.509 certificate signed by a Certificate Authority (CA).

Please adjust paths if they are different on your system!

Code:

////////////////////////////////////////////////////
//Setup a TLS-enabled POP3/IMAP server
//We need to make crypto keys and certificates.
//Without them, TLS/SSL will not work.
////////////////////////////////////////////////////
//Create the key:
openssl genrsa -out ipop3d.pem 1024
chmod 0400 ipop3d.pem
cp -v ipop3d.pem /etc/ssl/keys
////////////////////////////////////////////////////
//Creating The CSR:
openssl req -new -key ipop3d.pem -out ipop3d.csr
mv ipop3d.csr /etc/ssl/csrs
////////////////////////////////////////////////////
//Signing the CSR:
openssl x509 -req -days 3650 -sha1 -CAcreateserial -in /etc/ssl/csrs/ipop3d.csr -CA /etc/ssl/certs/ca.domain.com.crt -CAkey /etc/ssl/keys/ca.domain.com.key -out ipop3d-cert.pem
chmod 0400 ipop3*
cat ipop3d-cert.pem >> ipop3d.pem
cp -v ipop3d.pem /etc/ssl/certs
cp -v ipop3d.pem /etc/ssl/certs/imapd.pem

Regards,
TheMike

[falko]

Thanks for the tip!

[themachine]

For future reference you can check out this howto as well:

http://www.5dollarwhitebox.org/wiki/...L_Certificates

[meldron]

I followed this guide step by step, but i don't get a working certificate. Something changed in the last year?

[falko]

Do you use Debian Sarge?

[meldron]

Yes, Debian Sarge 3.1

I was able to create a new one with the /var/lib/dpkg/info/ipopd.postinst. But with a manual created certificate i always get a authentification failure.