Gogoat SSL Certificates

From Gruff Goat Wiki

Contents 1 Updating the SSL Certs 1.1 Joining the Chain 1.2 File Ownership and Permissions 1.3 Restart Services 1.4 Test Services 1.5 References

Updating the SSL Certs

Certificates are used for various parts of the the server including:

• Qmail
  • /var/qmail/control/servercert.pem
• OpenSSL
  • /usr/local/openssl/certs/servercert.pem
• IMAPd-ssl
  • /usr/local/share/courier-imap/imapd.pem
• POP3d-ssl
  • /usr/local/share/courier-imap/pop3d.pem
• My imap and pop3d services use the OpenSSL certificate

Review Using_OpenSSL if you need to create new certificates or a CSR.

Joining the Chain

The mail services use work best using a single file enclosing your full certificate chain. So join your chain thusly:

cat cert.key > servercert.pem
cat cert.crt >> servercert.pem
cat intermediary_cert.crt >> servercert.pem

File Ownership and Permissions

• Qmail
  • chown vpopmail:vchkpw servercert.pem
  • chown qmaild clientcert.pem
• OpenSSL
  • chown root:root servercert.pem
• IMAPs and POP3d
  • chown vpopmail:vchkpw servercert.pem
• All
  • chmod 400

Restart Services

qmail restart
/usr/local/etc/rc.d/imapd-ssl.sh restart
 /usr/local/etc/rc.d/pop3d-ssl.sh restart

Test Services

openssl s_client -connect www.gogoat.net:993    #IMAP
openssl s_client -connect www.gogoat.net:995    #POP3

References

1. Use a Singed SSL Certificate