Create a fresh self-signed SSL certificate for uw-imapd
|Debian (Etch, Lenny, Squeeze)|
|Ubuntu (Hardy, Intrepid, Jaunty, Karmic, Lucid, Maverick, Natty)|
To create a fresh self-signed SSL certificate for use by the UW IMAP daemon.
uw-imapd package is installed, a self-signed SSL certificate with an expiry date 1 year hence is created automatically. When that certificate expires a fresh one is needed to avoid warnings when using IMAP over SSL or TLS.
First delete the existing certificate:
Next reconfigure the IMAP server package using the
dpkg-reconfigure -u -p critical uw-imapd
-p critical options should prevent any questions being asked during the reconfiguration. (
-u suppresses questions that have been asked before, and
-p suppresses questions with a lower priority than the one specified.)
Finally, extract the fingerprint of the newly generated certificate. Depending on what mail clients you use, you may need to do this using more than one message digest algorithm:
openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -sha1 openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -md5
These commands should give responses of the form:
Other users of the server should be warned that the certificate has been changed, as they will be asked to accept the new certificate when they next attempt to connect to the IMAP server using SSL or TLS. They should be encouraged examine the certificate before accepting it (checking that its fingerprint matches one of those extracted above) to verify that it is genuine.
Attempt to connect to the IMAP server via SSL or TLS using a mail client such as Thunderbird/Icedove. Where the mail client previously warned that the SSL certificate had expired, it should now warn that the certificate is unrecognised and ask whether you wish to accept it. Check that the fingerprint matches then accept the certificate. Your mail account should now be accessible without further certificate-related warnings.