Gogoat SSL Certificates

From Gruff Goat Wiki
Jump to: navigation, search

Updating the SSL Certs

Certificates are used for various parts of the the server including:

  • Qmail
    • /var/qmail/control/servercert.pem
  • OpenSSL
    • /usr/local/openssl/certs/servercert.pem
  • IMAPd-ssl
    • /usr/local/share/courier-imap/imapd.pem
  • POP3d-ssl
    • /usr/local/share/courier-imap/pop3d.pem
  • My imap and pop3d services use the OpenSSL certificate

Review Using_OpenSSL if you need to create new certificates or a CSR.

Joining the Chain

The mail services use work best using a single file enclosing your full certificate chain. So join your chain thusly:

cat cert.key > servercert.pem
cat cert.crt >> servercert.pem
cat intermediary_cert.crt >> servercert.pem

File Ownership and Permissions

  • Qmail
    • chown vpopmail:vchkpw servercert.pem
    • chown qmaild clientcert.pem
  • OpenSSL
    • chown root:root servercert.pem
  • IMAPs and POP3d
    • chown vpopmail:vchkpw servercert.pem
  • All
    • chmod 400

Restart Services

qmail restart
/usr/local/etc/rc.d/imapd-ssl.sh restart
/usr/local/etc/rc.d/pop3d-ssl.sh restart

Test Services

openssl s_client -connect www.gogoat.net:993    #IMAP
openssl s_client -connect www.gogoat.net:995    #POP3
openssl s_client -connect www.gogoat.net:993 | openssl x509 -text #BETTER


  1. Use a Signed SSL Certificate