Worked out in RedHat, but might work elsewhere. Caution, these are my partial recollections. Should test it again to make sure it works. Maybe when I reinstall the mail server…
We work in /usr/share/ssl. Edit the openssl.cnf configuration file, modify dir in CA_default to /usr/share/ssl, and set the default place for new certs to $dir/certs. Change the defaults for countryName, etc., so that we won't have to type them in repeatedly.
Touch /usr/share/ssl/index.txt, and echo '100001' into /usr/share/ssl/serial.
We create a root certificate for our server. We don't really want to shell out money to a proper authority, right?
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ -out cacert.pem -days 3650 -config ./openssl.cnf
Now the root certificate consists of /usr/share/ssl/cacert.pem and /usr/share/ssl/private/cakey.pem; the first is the public part, which we can distribute to people who want to trust us.
Now go to certs and create a request for the imapd certificate:
openssl req -new -nodes -out imapd-req.pem -keyout imapd-key.pem \ -days 3650 -config ../openssl.cnf
and actually get the certificate with
openssl ca -out imapd-cert.pem -config ../openssl.cnf \ -infiles imapd-req.pem
(-infiles must be last!) We'll need the passkey used to create the CA. Last, merge the imapd key and certificate into the final signed certificate:
cat imapd-key.pem imapd-cert.pem > imapd.pem
Should be all! Imapd knows to look for /usr/share/ssl/certs/imapd.pem. See also how to use these certificates in OS X…
The same certificates can be used for Apache, but the .key files goes into /etc/httpd/conf/ssl.key/server.key; the .pem files goes into /etc/httpd/conf/ssl.crt/server.crt.
Mmh… maybe /usr/share/ssl/misc/CA does all of the above?
Big thanks go to the kind folks at flatmtn.
© M. Vallisneri 2012 — last modified on 2010/01/29
Tantum in modicis, quantum in maximis