# [HOWTO] SSL Certificate for Apache + netqmail + courier-imap

## PatG

After struggling through this once, forgetting most of it and then doing it a second time I figured that I better document what needs to be done to create, obtain and install server certificates for web and email servers that I build. The initial installation follows the netqmail HOWTO in the Gentoo documentation.

http://www.gentoo.org/doc/en/qmail-howto.xml

For my experience I am using GoDaddy as they are the cheapest (non-free) Certificate Authority (CA). The nice thing about GoDaddy is that they are included by default in Windows clients eliminating the need for manual installation of CA certificates. GoDaddy also provides a turbo 'wildcard' certificate that allows you to secure as many variations of your domain name as needed. With this you get a single cert for *.mydomain.com. Note that this does not extend to multiple name based virtual hosts under Apache.

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

Prerequisites: You should have a completed install of Apache, netqmail and courier-imap. If you have iptables configured then you should have opened at least ports 443, 993 and 995.

Now for the process:

1. Generate your primary key. (you should be working as root or sudo all commands below)

```
# cd /root
```

with password*

```
# openssl genrsa -des3 -out mydomain.key 1024
```

or without password

```
# openssl genrsa -out mydomain.key 1024
```

*Note that if you generate a des3 encrypted key you will be required to supply a password when your init.d daemons start up. You will HAVE to be at the console of the server during reboot to supply this password or the boot process WILL NOT complete.

2. generate certificate signing request

```
# openssl req -new -nodes -key mydomain.key -out mydomain.csr
```

You will be prompted with several questions for input on the csr generation.

For more information see the following links

http://openssl.org/docs/apps/genrsa.html#

http://sial.org/howto/openssl/csr/

3. Check the domain registered contact email address and be sure you can read messages for this account.

GoDaddy turbo certificates are verified with email responses. If you do not have access to the email account listed for the domain registration you will not be able to complete the process. Of course, other CA processes will differ.

4. Submit CSR to CA.

This will vary by CA but at some point you will submit the mydomain.csr created in step 2. If you are not sure how to process your csr at the CA website get the support phone number and give them a call. Since this is a paid service they tend to have good support lines to help bring the revenue in. I have found the GoDaddy support lines to be very knowledgeable and helpful on their certificate issuing processes.

5. Obtain server key.

Depending on the complexity (verification level) of the certificate request you may have to respond to email and/or phone calls and there will be some processing time (hours or days). Eventually, if all goes well, you will get your server cert. For GoDaddy you can login to your account, manage certificates and once selecting the correct domain name you can click "Reissue" to view your certificate. However the key is delivered, you want to save it to a file on your server. For my case of a wildcard cert I named this file "_.mydomain..com.crt". If you obtain a single cert it would make sense to call it "www.mydomain.com.crt" or something similar.

6. Obtain keychain files. This includes the "Intermediate certificate" and "Root certificate" mentioned below. For GoDaddy the keychain can be obtained as a single download from here --> https://certificates.godaddy.com/Repository.go. I saved mine as gd_intermediate_bundle.crt. Your case may be different so adjust accordingly.

7. Protect your files.

As the domain cert defines your identity on the internet you  must safeguard the files. First copy (backup) your files a safe location other than the server. Then on the server you should insure that the cert files are available only to root or other privileged users.

```
# chown root:root ~/mydomain.key

# chown root:root ~/mydomain.csr

# chown root:root ~/_.mydomain.com.crt

# chmod 400 ~/mydomain.key

# chmod 400 ~/mydomain.csr

# chmod 400 ~/_.mydomain.com.crt
```

8. Apache SSL Configuration

```
# nano /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf
```

Add the following lines under the appropriate sections

SSLCertificateFile /root/_.mydomain.com.crt

..

SSLCertificateKeyFile /root/mydomain.key

..

SSLCertificateChainFile /root/gd_intermediate_bundle.crt

Save the file when complete.

Note that the default Gentoo Apache install starts as root and then runs its processes under the apache user. This configuration is compatable with the restrictive file permissions set in step 7.

9. qmail - Assemble the parts

qmail requires a file in a completely assembled format. This file is stored with a "pem" extension in the format as follows:

```
-----BEGIN RSA PRIVATE KEY-----

(Private Key: mydomain.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(Primary SSL certificate: mydomain.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Intermediate certificate)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Root certificate)

-----END CERTIFICATE-----
```

First you should make a copy of any existing file that would have been created in the initial install of qmail (if you followed the gentoo netqmail HOWTO or other similar document)

```
# rename /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
```

Now copy your real cert info into a new pem file.

```
# cat ~/mydomain.key ~/_.mydomain.com.crt ~/gd_intermediate_bundle.crt > /var/qmail/control/servercert.pem
```

Make sure that the file is readable by qmail.

```
# chown qmaild:qmail /var/qmail/control/servercert.pem

# chmod 400 /var/qmail/control/servercert.pem
```

10. Courier-imap

For courier-imap the "pem" file created for qmail can be reused.

First look at the contents of the courier-imap directory.

```
# ls /etc/courier-imap
```

If there are existing pem files you will have to rename or delete them before the next step. Note any existing imapd.pem or pop3d.pem files and issue the following commands accordingly.

```
# rename /etc/courier-imap/imapd.pem /etc/courier-imap/imapd.pem.bak

# rename /etc/courier-imap/pop3d.pem /etc/courier-imap/pop3d.pem.bak
```

Now create links to the previously generated qmail pem files.

```
# ln -s /var/qmail/control/servercert.pem /etc/courier-imap/imapd.pem

# ln -s /var/qmail/control/servercert.pem /etc/courier-imap/pop3d.pem
```

11. Restart daemons

```
# /etc/init.d/courier-imapd-ssl restart

# /etc/init.d/courier-pop3d-ssl restart

# /etc/init.d/svscan restart

# /etc/init.d/apache2 restart
```

When finished you can test your certificate installation with the following:

```

# openssl s_client -connect localhost:443

ctrl-d

# openssl s_client -connect localhost:993

ctrl-d

# openssl s_client -connect localhost:995

ctrl-d
```

You should see the server certificate and the certificate chain terminating in the Root CA information.  If you see "Automatically-generated" anywhere you still have old, self-signed certificates in the configuration.

----------

## d2_racing

Thanks for that howto  :Smile: Last edited by d2_racing on Mon Feb 25, 2008 12:26 pm; edited 1 time in total

----------

## r00t440

Hello... Firstly, I must admit that I am a n00b at SSL certificates that's why I'm here. I want to ask if a "challenge password" is required or optional. I was asked for a challenged password after doing step 2. What are the implications of a "challenge password"? Please elaborate a little, I'm sure there are users out there that don't know these stuff. Thanks for this great guide!

----------

## jbcrawford

I also had to update /usr/local/share/imapd.pem on Debian, you can link it to the qmail servercert.pem file...

ln -s /var/qmail/control/servercert.pem /usr/local/share/imapd.pem

Then restart everything accordingly.

----------

