# howto update SSL certificates for qmail and outlook express

## newtonian

1 year after doing the right thing and setting my qmail server to use SSL,

via the gentoo qmail howto http://www.gentoo.org/doc/en/qmail-howto.xml

my clents started to get error messages on send and recieve due to expired SSL

certificates.

I'm going to document the steps I went through to increase the default

of 1 year to 10 years for the SMTP/POP3 and IMAP SSL certificates.  I'll also

show you how to create a der file so your Outlook Express clients don't

generate errors everytime they receive or send email.

qmail SMTP certificate:

1. verify the contents of your servercert.cnf. 

```
vim /var/qmail/control/servercert.cnf
```

2. edit mkservercert and change the 1 year defualt if you'd like to:

```
vim /var/qmail/bin/mkservercert
```

change the days section from 365 to 3650 for a 10 year certificate:

```
# expire on certifcate

days="365"
```

3. get rid of the old servercert.pem and run mkservercert

```
cd /var/qmail/control/

mv servercert.pem servercert.old.pem

rm clientcert.pem

/var/qmail/bin/mkservercert
```

4. Generate the der file for your outlook clients:

```
openssl x509 -in servercert.pem -outform DER -out certificate-for-outlook-smtp.der
```

5. Give the certificate-for-outlook-smtp.der to your clients or post it on a web page

so they can click and install it to outlook.

here is some simple html:

```
<html>

<p><a href="http://mydomain.com/certificate-for-outlook-smtp.der">certificate-for-outlook-smtp</a></p>

<hr/>

<p><a href="http://mydomain.com/certificate-for-outlook-pop3.der">certificate-for-outlook-pop3</a></p>

</html>

```

Now let's do the same for the POP3 certficate

1. verify the contents of your pop3d.cnf. 

```
cd /etc/courier-imap

vim pop3d.cnf
```

2. edit mkpop3dcert and change the 1 year defualt if you'd like to:

```
vim /usr/sbin/mkpop3dcert
```

change the days argument:

```
/usr/bin/openssl req -new -x509 -days 365 
```

3. get rid of the old pop3d.pem and run mkpop3dcert

```
 cd /etc/courier-imap

mv pop3d.pem pop3d.old.pem

mkpop3dcert
```

4. Generate the der file for your outlook clients:

```
openssl x509 -in pop3d.pem -outform DER -out certificate-for-outlook-pop3.der
```

5. Give the certificate-for-outlook-pop3.der to your clients or post it on a web page

so they can click and install it to outlook

for imap redo the pop3 explanation for steps 1 to 5 and change the filenames appropriate for imap.

Finally restart qmail

```
/etc/init.d/svscan restart
```

Although this works for me on my system, I'm total newbie with qmail.

So please let me know if I'm doing anything wrong in this howto.

Cheers,  :Wink: Last edited by newtonian on Thu Feb 09, 2006 3:12 pm; edited 1 time in total

----------

## Rüpel

i don't know if that is a problem, but mkservercert gives me

```
ln: `/var/qmail/control/clientcert.pem': File exists
```

after succesfully creating /var/qmail/control/servercert.pem

----------

## Rüpel

anything else went fine.

qmail/courier run and the clients needed to import the new certificates. seems good so far.

----------

## newtonian

 *Rüpel wrote:*   

> i don't know if that is a problem, but mkservercert gives me
> 
> ```
> ln: `/var/qmail/control/clientcert.pem': File exists
> ```
> ...

 

That's telling you that there is already a servercert.pem in place.  

You probably missed this step:

```

mv servercert.pem servercert.old.pem

```

Without this step, mkservercert won't make a new cert for sending mail.

Cheers,

----------

## Rüpel

nope. i didn't miss that step. in fact, servercert.pem was created fine.

the message is about clientcert.pem - and i have not the slightest clue, what this file is for...   :Rolling Eyes: 

----------

## newtonian

 *Rüpel wrote:*   

> nope. i didn't miss that step. in fact, servercert.pem was created fine.
> 
> the message is about clientcert.pem - and i have not the slightest clue, what this file is for...  

 

clientcert.pem is also necessary for sending TLS email.  It should be deleted as

well as servercert.pem, before you create a new cert.  You could do something like this before making a 

new server cert:

```

mv clientcert.pem clientcert.old.pem

```

Cheers,

----------

## Rüpel

actually, when looking at the mkservercert script, it looks like clientcert.pem is just a soft link on servercert.pem - i haven't checked that yesterday, silly me.

so my understanding is, that you can savely ignore the error-message i got, because the link automatically points to the newly created file and everything is fine.

maybe you add a remark on that fact to your guide above?

----------

## newtonian

 *Rüpel wrote:*   

> actually, when looking at the mkservercert script, it looks like clientcert.pem is just a soft link on servercert.pem - i haven't checked that yesterday, silly me.
> 
> so my understanding is, that you can savely ignore the error-message i got, because the link automatically points to the newly created file and everything is fine.
> 
> maybe you add a remark on that fact to your guide above?

 

Cool, thanks for checking that out.  I just added a line to delete the clientcert.pem.  

That should stop people from getting the "already exists"

error and mkservercert will create a new soft link for them.

```
cd /var/qmail/control/

mv servercert.pem servercert.old.pem

rm clientcert.pem

/var/qmail/bin/mkservercert
```

Thanks,

----------

