Regenerating self-signed Dovecot and Exim SSL certificates in Debian

I run my own mail server, including STMP (exim4) and IMAP (dovecot). Connections to both of these are encrypted with SSL; however, I’m too lazy and cheap to buy a real certificate. Instead, I self-sign and pay attention to the fingerprint when approving the connection on the client end.

The problem is that these certificates expire. And, they don’t do it very often, so I forget how to generate new ones, and for some reason my google-fu is severely lacking in this area. So, here’s notes on how to regenerate Exim and Dovecot self-signed certificates on Debian, for future me and perhaps you too.

(The above notwithstanding, lately http://wiki.debian.org/SSLkeys has emerged as a good resource for these and many other programs. That’s where much of the below came from.)

Anyway, first off, it’s not always obvious which certificate has expired. You can find out with:

$ openssl x509 -in /etc/exim4/exim.crt -text -noout | less
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -text -noout | less

To regenerate for exim:

$ cd /usr/share/doc/exim4-base/examples ./exim-gencert --force
$ /etc/init.d/exim4 restart
$ openssl x509 -in /etc/exim4/exim.crt -fingerprint -sha1 -noout

That last line will print the SHA1 fingerprint of the new certificate, which you can (and should) verify when connecting with your e-mail client, to make sure there’s no man-in-the-middle happening. (With a “real” certificate, the CA chain and your domain name verifies this, IIRC.)

On to dovecot:

$ rm /etc/ssl/certs/dovecot.pem
$ rm /etc/ssl/private/dovecot.pem
$ dpkg-reconfigure dovecot-common
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -fingerprint -sha1 -noout