Dovecot, Lighttpd and SSL certificate renewals

This is a mental note really, since my certificates last two years and I’ve always forgotten what to do about it.

  1. Generate a new request:
    openssl req -new -key <keyfile> -out <csrfile>
    StartSSL throw away all properties of the request except the key, so any answers will do.
  2. Re-use the request you sent last time (thanks Noel).
  3. Get the certificate signed.
  4. Dovecot expects a key in /etc/ssl/private/dovecot.pem and a certificate chain in /etc/ssl/certs/dovecot.pem. Build the chain, CERTIFICATE FIRST:
    cat <crt> sub_class2.pem ca.pem > /etc/ssl/certs/dovecot.pem
  5. Reload Dovecot and test from somewhere remote:
    openssl s_client -connect <server>:imaps
  6. Coffee time.

Lighttpd is basically the same, but additionally expects the key to be in the top of the certificate chain.

One Comment

  1. Step 1 is not needed: you can REUSE the certificate request, as it has no date at all.

Comments are closed.