Dovecot, Lighttpd and SSL certificate renewals

Published by Jon on December 1st, 2010 in Debian, Notes, Tech

This is a mental note really, since my certificates last two years and I’ve always forgotten what to do about it.

  1. Generate a new request:
    openssl req -new -key <keyfile> -out <csrfile>
    StartSSL throw away all properties of the request except the key, so any answers will do.
  2. Re-use the request you sent last time (thanks Noel).
  3. Get the certificate signed.
  4. Dovecot expects a key in /etc/ssl/private/dovecot.pem and a certificate chain in /etc/ssl/certs/dovecot.pem. Build the chain, CERTIFICATE FIRST:
    cat <crt> sub_class2.pem ca.pem > /etc/ssl/certs/dovecot.pem
  5. Reload Dovecot and test from somewhere remote:
    openssl s_client -connect <server>:imaps
  6. Coffee time.

Lighttpd is basically the same, but additionally expects the key to be in the top of the certificate chain.

Flattr this!

One Response to “Dovecot, Lighttpd and SSL certificate renewals”

  1. Noel (er Envite) Says:

    Step 1 is not needed: you can REUSE the certificate request, as it has no date at all.