Making a Courier IMAP SSL sertificate.

I run Courier IMAP over SSL to my mail server, until now with the self signed server certificate Debian set up for me, but I’ve finally managed to create a ‘real’ server certificate following the instruction at http://milliwaysconsulting.net/support/systems/courier-ssl.html.
The certificate is signed by CAcert.org.

Getting the certificate

You need the openssl package installed to do this.
The steps are as follows:

1. Create a host key for encryption and signing
2. Create a CSR (Certificate signing request)
3. Get the CSR signed by CAcert.org
4. Build a PEM (Privacy Enhanced Mail) file for the Courier imapd

The host key to be used for encryption and signing can be made with these commands (which I ran in the directory /etc/ssl:

openssl genrsa -out mail.key
chmod 400 mail.key

Next, the actual request file is made with

openssl req -new -nodes -key mail.key -out mail.csr

You’ll have to answer a few questions. The most important is for the CommonName, for which you have to give the exact hostname of the mail server you want the certificate for.
The CSR file is what is sent to the Certificate Authority (CA) who has to sign it. I used CAcert.org which makes certificates for free, but any CA can be used. Each appears to have a separate procedure.
At CAcert.org you’ll have to register, add an email address, add the domain you’ll use and then send the CSR for signing. CAcert.org will return a signed server certificate.
Save the certificate as mail.crt.
Last, you’ll have to create the PEM file used by Courier imapd. It consists of three parts: 1) the host key made initially, 2) the signed certificate from the CA, and 3) a Diffie-Hellman code.

mv /etc/courier/imapd.pem{,selfsigned}
cat mail.key mail.crt > /etc/courier/imapd.pem
openssl gendh >> /etc/courier/imapd.pem
sh /etc/init.d/courier-imap-ssl restart

The next time you connect to the IMAP server over SSL you should use the new certificate.

Adding the CA root certificate to the clients

The mail clients used might not know the CA which signed the certificate. If that is the case, your users will see little difference over a self signed certificate, since they’ll still be greeted with a message about an unknown CA having signed the certificate.
The CA root certificate has to be made known to the client. On Debian I already had the CAcert.org root certificate on my system in /etc/ssl/certs/cacert.org.pem, but Mozilla Thunderbird didn’t know it. If needed the CAcert.org root certificate can be downloaded from their site.
In Mozilla Thunderbird on Debian the procedure is this:

1. Open “Edit | Preferences”
2. Select “Advanced | Certificates | Manage Certificates”
3. Select the tab “Authorities”
4. Click “Import” and select /etc/ssl/certs/cacert.org.pem or the downloaded root.crt file.
5. Click Open

Now restart Thunderbird and the certificate should be accepted without any kind of questions.