It’s that time of year again for me. My certificates which I normally give a lifespan of a year expired again. I thought I should write down the procedure for refreshing your certificates for all of you and myself so you don’t need to wade through the complete documentation set to find the relevant parts. I hope it as usefull to as it will be for me in a year.

First we’ll do the postifx SMTP TLS/SSL part.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name. Also please make sure that all your answers are the same as the original certificate.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

To make sure everything is refreshed do a ‘sudo postfix reload‘ and try to send an email.

For the IMAP server it is a bit simpler as all the details there are put in a configuration file that still should be there: ‘/usr/local/etc/imapd.cnf‘. Please check the contents of the file and if they don’t relfect your setup please edit the file as described here.

When everything is verified and found in the correct state you can go to the directory ‘/usr/local/share‘ and run ‘sudo ./mkimapdcert‘ to generate a new certificate. Make sure you remove the existing ‘imapd.pem‘ in the same directory first or no new certificate will be created.

Start up your favourite mail client and check the certificate.

All should be in the correct state and our certificates are valid for another year.