How to manually create a new certificate for uw-imap and ipop?

Discussion in 'HOWTO-Related Questions' started by TheMike, Nov 24, 2005.

  1. TheMike

    TheMike New Member

    I installed Debian 3.1 on a machine according to your Perfect setup HOWTO!

    Now I have most of it working but I would like to update the two following files:
    /etc/ssl/certs/imapd.pem
    /etc/ssl/certs/ipo3d.pem
    because they are incorrect.
    I did not install ISPConfig and I also don't want to use it. (for this specific machine)
    So I have to create these certificates manually.

    Can someone show me the right step or syntax to do this?
     
  2. falko

    falko Super Moderator

    Please run
    Code:
    updatedb
    locate imap
    locate ipop
    and post the output here.
     
  3. TheMike

    TheMike New Member

    output from: locate imap
    Code:
    /etc/apache2/mods-available/imap.load
    /etc/logcheck/ignore.d.paranoid/imap
    /etc/logcheck/ignore.d.server/imapproxy
    /etc/logcheck/ignore.d.server/uw-imapd
    /etc/pam.d/imap
    /etc/ssl/certs/imapd.pem
    /lib/modules/2.6.8-2-386/modules.pcimap
    /usr/include/c++/3.3/backward/multimap.h
    /usr/include/c++/3.3/bits/stl_multimap.h
    /usr/lib/apache2/modules/mod_imap.so
    /usr/lib/mon/mon.d/imap.monitor
    /usr/lib/php4/20020429/imap.so
    /usr/lib/python2.3/imaplib.py
    /usr/lib/python2.3/imaplib.pyc
    /usr/lib/python2.3/imaplib.pyo
    /usr/sbin/imapd
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.html
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.html.en
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.html.ko.euc-kr
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.gz
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.ko.gz
    /usr/share/doc/apache2-doc/manual/mod/mod_imap.xml.meta
    /usr/share/doc/HOWTO/en-txt/Qmail-VMailMgr-Courier-imap-HOWTO.gz
    /usr/share/doc/libc-client2002edebian/imaprc.txt.gz
    /usr/share/doc/php4-imap
    /usr/share/doc/uw-imapd
    /usr/share/doc/uw-imapd/bugs.txt.gz
    /usr/share/doc/uw-imapd/buildinfo.gz
    /usr/share/doc/uw-imapd/changelog.Debian.gz
    /usr/share/doc/uw-imapd/copyright
    /usr/share/doc/uw-imapd/NEWS.Debian.gz
    /usr/share/doc/uw-imapd/README.Debian
    /usr/share/doc/uw-imapd/RELNOTES.gz
    /usr/share/doc/uw-imapd-ssl
    /usr/share/doc/uw-imapd-ssl/buildinfo.gz
    /usr/share/doc/uw-imapd-ssl/changelog.Debian.gz
    /usr/share/doc/uw-imapd-ssl/copyright
    /usr/share/doc/uw-imapd-ssl/NEWS.Debian.gz
    /usr/share/doc/uw-imapd-ssl/README.Debian
    /usr/share/doc/uw-imapd/TODO.Debian
    /usr/share/linda/overrides/uw-imapd
    /usr/share/lintian/overrides/php4-imap
    /usr/share/lintian/overrides/uw-imapd
    /usr/share/man/man8/imapd.8C.gz
    /usr/share/webmin/apache/mod_imap.pl
    /var/cache/apt/archives/php4-imap_4%3a4.3.10-16_i386.deb
    /var/cache/apt/archives/uw-imapd-ssl_7%3a2002edebian1-11sarge1_all.deb
    /var/lib/dpkg/info/php4-imap.config
    /var/lib/dpkg/info/php4-imap.list
    /var/lib/dpkg/info/php4-imap.md5sums
    /var/lib/dpkg/info/php4-imap.postinst
    /var/lib/dpkg/info/php4-imap.postrm
    /var/lib/dpkg/info/php4-imap.prerm
    /var/lib/dpkg/info/php4-imap.templates
    /var/lib/dpkg/info/uw-imapd.conffiles
    /var/lib/dpkg/info/uw-imapd.config
    /var/lib/dpkg/info/uw-imapd.list
    /var/lib/dpkg/info/uw-imapd.md5sums
    /var/lib/dpkg/info/uw-imapd.postinst
    /var/lib/dpkg/info/uw-imapd.postrm
    /var/lib/dpkg/info/uw-imapd.preinst
    /var/lib/dpkg/info/uw-imapd-ssl.list
    /var/lib/dpkg/info/uw-imapd-ssl.md5sums
    /var/lib/dpkg/info/uw-imapd.templates
    
    output from: locate ipop
    Code:
    /etc/logcheck/ignore.d.server/ipopd
    /etc/ssl/certs/ipop3d.pem
    /usr/sbin/ipop2d
    /usr/sbin/ipop3d
    /usr/share/doc/ipopd
    /usr/share/doc/ipopd/buildinfo.gz
    /usr/share/doc/ipopd/changelog.Debian.gz
    /usr/share/doc/ipopd/copyright
    /usr/share/doc/ipopd/NEWS.Debian.gz
    /usr/share/doc/ipopd/README.Debian
    /usr/share/doc/ipopd-ssl
    /usr/share/doc/ipopd-ssl/buildinfo.gz
    /usr/share/doc/ipopd-ssl/changelog.Debian.gz
    /usr/share/doc/ipopd-ssl/copyright
    /usr/share/doc/ipopd-ssl/NEWS.Debian.gz
    /usr/share/doc/ipopd-ssl/README.Debian
    /usr/share/linda/overrides/ipopd
    /usr/share/lintian/overrides/ipopd
    /usr/share/man/man8/ipop2d.8C.gz
    /usr/share/man/man8/ipop3d.8C.gz
    /usr/share/man/man8/ipopd.8C.gz
    /var/cache/apt/archives/ipopd_7%3a2002edebian1-11sarge1_i386.deb
    /var/cache/apt/archives/ipopd-ssl_7%3a2002edebian1-11sarge1_all.deb
    /var/lib/dpkg/info/ipopd.conffiles
    /var/lib/dpkg/info/ipopd.config
    /var/lib/dpkg/info/ipopd.list
    /var/lib/dpkg/info/ipopd.md5sums
    /var/lib/dpkg/info/ipopd.postinst
    /var/lib/dpkg/info/ipopd.postrm
    /var/lib/dpkg/info/ipopd.preinst
    /var/lib/dpkg/info/ipopd-ssl.list
    /var/lib/dpkg/info/ipopd-ssl.md5sums
    /var/lib/dpkg/info/ipopd.templates
    
     
    Last edited: Nov 24, 2005
  4. falko

    falko Super Moderator

    Hm, I thought there might be a program that allows to re-create the certificates, but obviously there isn't for imapd and ipop3d. :( For Courier there's such a program...
     
  5. TheMike

    TheMike New Member

    I think I managed it without the help of a tool!

    This example is for Debian 3.1 and worked for me, it is neccesary to create your own Certificate Authority (CA) and sign it yourself or otherwise purchase a "real" X.509 certificate signed by a Certificate Authority (CA).

    Please adjust paths if they are different on your system!

    Code:
    ////////////////////////////////////////////////////
    //Setup a TLS-enabled POP3/IMAP server
    //We need to make crypto keys and certificates.
    //Without them, TLS/SSL will not work.
    ////////////////////////////////////////////////////
    //Create the key:
    openssl genrsa -out ipop3d.pem 1024
    chmod 0400 ipop3d.pem
    cp -v ipop3d.pem /etc/ssl/keys
    ////////////////////////////////////////////////////
    //Creating The CSR:
    openssl req -new -key ipop3d.pem -out ipop3d.csr
    mv ipop3d.csr /etc/ssl/csrs
    ////////////////////////////////////////////////////
    //Signing the CSR:
    openssl x509 -req -days 3650 -sha1 -CAcreateserial -in /etc/ssl/csrs/ipop3d.csr -CA /etc/ssl/certs/ca.domain.com.crt -CAkey /etc/ssl/keys/ca.domain.com.key -out ipop3d-cert.pem
    chmod 0400 ipop3*
    cat ipop3d-cert.pem >> ipop3d.pem
    cp -v ipop3d.pem /etc/ssl/certs
    cp -v ipop3d.pem /etc/ssl/certs/imapd.pem
    
    Regards,
    TheMike
     
  6. falko

    falko Super Moderator

    Thanks for the tip! :)
     
  7. themachine

    themachine HowtoForge Supporter

  8. meldron

    meldron New Member

    I followed this guide step by step, but i don't get a working certificate. Something changed in the last year?
     
  9. falko

    falko Super Moderator

    Do you use Debian Sarge?
     
  10. meldron

    meldron New Member

    Yes, Debian Sarge 3.1

    I was able to create a new one with the /var/lib/dpkg/info/ipopd.postinst. But with a manual created certificate i always get a authentification failure.
     
  11. falko

    falko Super Moderator

    What exactly do you do when manually creating a cert?
     

Share This Page