# SSL certificates...how?

## Infra

Okey I hope u can help because I don't have Gentoo but I have Freebsd on my shell-server.

The problem is that I need to do a SSL-certificate  for my IMAP and I don't know how. Could somebody help?

----------

## Genone

I've made myself a little script for host certificates, maybe it helps you (warning: it's quite custom made for my setup, so you might need to adjust parts of it):

```

#!/bin/sh

if [ -z $1 ]; then

        echo "Syntax: $0 <Name>"

        exit 1

fi

umask 0177

SSL_DIR=/home/ssl

NAME=$1

CERTFILE_IN=$NAME.cert.tmp

CERTFILE_OUT=$NAME.cert

KEYFILE_IN=$NAME.key.tmp

KEYFILE_OUT=$NAME.key

openssl req -new -out $CERTFILE_IN -keyout $KEYFILE_IN

openssl ca -in $CERTFILE_IN -out $CERTFILE_OUT

read -p "Delete Passphrase from private key ? [y/N]"

if [ $REPLY = "y" -o $REPLY = "Y" ]; then

        openssl rsa -in $KEYFILE_IN -out $KEYFILE_OUT

else

        mv $KEYFILE_IN $KEYFILE_OUT

fi

cp $CERTFILE_OUT $SSL_DIR/certs/hosts/`basename $CERTFILE_OUT .cert`

cp $KEYFILE_OUT $SSL_DIR/keys/hosts/`basename $KEYFILE_OUT .key`

chmod 600 $SSL_DIR/keys/hosts/`basename $KEYFILE_OUT .key`

chmod 644 $SSL_DIR/certs/hosts/`basename $CERTFILE_OUT .cert`

```

This should install the certificates in /home/ssl/certs/hosts/ and the keys in /home/ssl/keys/hosts/.

----------

## Infra

Okay i get this error:

```
 

Sign the certificate? [y/n]:y

failed to update database

TXT_DB error number 2

```

----------

## Genone

Sounds like your openssl is not configured. Maybe the /etc/ssl/misc/CA.sh script can help you.

----------

## ClaesBas

Gentoo - Courier Imap, does it this way....

First there is a "template" for creation of the cert:

/etc/courier-imap/imapd.cnf

```

RANDFILE = /usr/share/imapd.rand

[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no

[ req_dn ]

C=US

ST=NY

L=New York

O=Courier Mail Server

OU=Automatically-generated IMAP SSL key

CN=localhost

emailAddress=postmaster@example.com

[ cert_type ]

nsCertType = server

```

Change specially CN to your machines fully qualified name (which should be the registred one in rev-arpa) for lookup of the host cert.

Do something like: "dig -x <external IP of the machine>"  to see what it should be (if you don't knew)....

The script which makes imapd.pem (the cert in PEM format) using file above. 

/usr/sbin/mkimapdcert

```
                                               

#! /bin/sh

#

# mkimapdcert,v 1.1 2001/01/02 03:54:25 drobbins Exp

#

# Copyright 2000 Double Precision, Inc.  See COPYING for

# distribution information.

#

# This is a short script to quickly generate a self-signed X.509 key for

# IMAP over SSL.  Normally this script would get called by an automatic

# package installation routine.

test -x /usr/bin/openssl || exit 0

prefix="/usr"

pemfile="/etc/courier-imap/imapd.pem"

randfile="/etc/courier-imap/imapd.rand"

if test -f $pemfile

then

        echo "$pemfile already exists."

        exit 1

fi

cp /dev/null $pemfile

chmod 600 $pemfile

chown root $pemfile

cleanup() {

        rm -f $pemfile

        rm -f $randfile

        exit 1

}

dd if=/dev/urandom of=$randfile count=1 2>/dev/null

/usr/bin/openssl req -new -x509 -days 365 -nodes \

        -config /etc/courier-imap/imapd.cnf -out $pemfile -keyout $pemfile || cleanup

/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup

/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup

rm -f $randfile

```

I use to change the days the cert is going to last from 365 to something longer...

See following manpages: openssl, req, x509, dhparam (gendh obsoleted by dhparam).

If you have customers/family/friends connecting with the "LookOut" thing.

Create an DER encoded copy of the (PEM) cert.

```

openssl x509 -in /etc/courier-imap/imapd.pem -out /tmp/imapd.cer -outform DER

```

And let them import or open that cert file to get that anoying message about that if they should trust the cert away.

In Gentoo do:

```

rc-update add courier-imapd-ssl default

```

To get it started up by default (on port 993).

Then it's possible to read the mail (in ~/.maildir) with the mail client connected through  "secure" imap with your local account.

I'm running Postfix (which works "out of the box" against ~/.maildir as I remember).

----------

