This is a mental note really, since my certificates last two years and I’ve always forgotten what to do about it.
- Generate a new request:
openssl req -new -key <keyfile> -out <csrfile>
StartSSL throw away all properties of the request except the key, so any answers will do.
- Re-use the request you sent last time (thanks Noel).
- Get the certificate signed.
- Dovecot expects a key in /etc/ssl/private/dovecot.pem and a certificate chain in /etc/ssl/certs/dovecot.pem. Build the chain, CERTIFICATE FIRST:
cat <crt> sub_class2.pem ca.pem > /etc/ssl/certs/dovecot.pem
- Reload Dovecot and test from somewhere remote:
openssl s_client -connect <server>:imaps
- Coffee time.
Lighttpd is basically the same, but additionally expects the key to be in the top of the certificate chain.