Create a fresh self-signed SSL certificate for uw-imapd
Content |
Specific to |
| Debian-based distributions |
Tested on |
| Debian (Etch, Lenny, Squeeze) |
| Ubuntu (Hardy, Intrepid, Jaunty, Karmic, Lucid, Maverick, Natty) |
Objective
To create a fresh self-signed SSL certificate for use by the UW IMAP daemon.
Background
When the uw-imapd package is installed, a self-signed SSL certificate with an expiry date 1 year hence is created automatically. When that certificate expires a fresh one is needed to avoid warnings when using IMAP over SSL or TLS.
Method
First delete the existing certificate:
rm /etc/ssl/certs/imapd.pem
Next reconfigure the IMAP server package using the dpkg-reconfigure command:
dpkg-reconfigure -u -p critical uw-imapd
The -u and -p critical options should prevent any questions being asked during the reconfiguration. (-u suppresses questions that have been asked before, and -p suppresses questions with a lower priority than the one specified.)
Finally, extract the fingerprint of the newly generated certificate. Depending on what mail clients you use, you may need to do this using more than one message digest algorithm:
openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -sha1 openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -md5
These commands should give responses of the form:
SHA1 Fingerprint=52:A1:C9:26:4D:78:19:F0:72:27:21:FF:93:83:3A:B8:D1:2B:BF:D9
and:
MD5 Fingerprint=C0:05:D8:2F:F7:90:DA:AB:CB:E1:C0:13:22:A5:BF:BF
respectively.
Other users of the server should be warned that the certificate has been changed, as they will be asked to accept the new certificate when they next attempt to connect to the IMAP server using SSL or TLS. They should be encouraged examine the certificate before accepting it (checking that its fingerprint matches one of those extracted above) to verify that it is genuine.
Testing
Attempt to connect to the IMAP server via SSL or TLS using a mail client such as Thunderbird/Icedove. Where the mail client previously warned that the SSL certificate had expired, it should now warn that the certificate is unrecognised and ask whether you wish to accept it. Check that the fingerprint matches then accept the certificate. Your mail account should now be accessible without further certificate-related warnings.