Rate this page

Flattr this

Create a fresh self-signed SSL certificate for uw-imapd

Specific to

Debian-based distributions

Tested on

Debian (Etch, Lenny, Squeeze)
Ubuntu (Hardy, Intrepid, Jaunty, Karmic, Lucid, Maverick, Natty)


To create a fresh self-signed SSL certificate for use by the UW IMAP daemon.


When the uw-imapd package is installed, a self-signed SSL certificate with an expiry date 1 year hence is created automatically. When that certificate expires a fresh one is needed to avoid warnings when using IMAP over SSL or TLS.


First delete the existing certificate:

rm /etc/ssl/certs/imapd.pem

Next reconfigure the IMAP server package using the dpkg-reconfigure command:

dpkg-reconfigure -u -p critical uw-imapd

The -u and -p critical options should prevent any questions being asked during the reconfiguration. (-u suppresses questions that have been asked before, and -p suppresses questions with a lower priority than the one specified.)

Finally, extract the fingerprint of the newly generated certificate. Depending on what mail clients you use, you may need to do this using more than one message digest algorithm:

openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -sha1
openssl x509 -in /etc/ssl/certs/imapd.pem -noout -fingerprint -md5

These commands should give responses of the form:

SHA1 Fingerprint=52:A1:C9:26:4D:78:19:F0:72:27:21:FF:93:83:3A:B8:D1:2B:BF:D9


MD5 Fingerprint=C0:05:D8:2F:F7:90:DA:AB:CB:E1:C0:13:22:A5:BF:BF


Other users of the server should be warned that the certificate has been changed, as they will be asked to accept the new certificate when they next attempt to connect to the IMAP server using SSL or TLS. They should be encouraged examine the certificate before accepting it (checking that its fingerprint matches one of those extracted above) to verify that it is genuine.


Attempt to connect to the IMAP server via SSL or TLS using a mail client such as Thunderbird/Icedove. Where the mail client previously warned that the SSL certificate had expired, it should now warn that the certificate is unrecognised and ask whether you wish to accept it. Check that the fingerprint matches then accept the certificate. Your mail account should now be accessible without further certificate-related warnings.

Tags: crypt | ssl | uw-imapd