and OpenSSL howto and OpenSSL howto for Apache, Courier IMAPS, etc. Forget self signed certs, with, you can get a “free” SSL certificate. That will stop those annoying warnings in your browser about self signed certs.

Change into a directory where SSL certs are to be made.. (for this example I’ll be making my Courier IMAPS work nice!).. Oh ya, for this to work, I’m going to be root..

cd /etc/courier/

Now generate a key. (It goes without saying that where ever I use should be your full hostname or FQDM).

openssl genrsa -out 4096

Create a config file for OpenSSL to use. (You don’t have to do this but it saves typing a lot of the same information in.)

vi imapd.cnf

Paste this text in to the imapd.cnf file (changing what makes sense to change!)

RANDFILE = /usr/lib/courier/imapd.rand

[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=<Country Code>		# eg: IE
ST=<County>			# eg: Co Dublin
L=<Town>			# eg: Sandyford
O=<Company name>		# eg: Widgets Ltd
OU=<Department>			# eg: IT Department
CN=<hostname>			# eg:
emailAddress=<address>		# eg:

[ cert_type ]
nsCertType = server

Now generate your CSR (Certificate Signing Request) file.

openssl req -new -nodes -key -config imapd.cnf -out

Have a peek at the CSR (Certificate Signing Request) file.. you’ll need to copy this to’s application form text box.

It should look something like this…


Sign up with

Once you’ve got an account, you will have to register an email address..

Then goto: Server Certificates -> New

Paste your CSR text into the textbox on this page..

The good folk at will email you a link that you have to follow in order to issue a CRT file.. Then you have got the CRT file contents in your clipboard, paste them in to a file.


Save this file in the same directory the KEY and CSR file are..

Now we need to create a PEM file. This is simply the KEY and CRT file back to back with some Diffie-Hellman stuff at the end.

cat >

This generates Diffie-Hellman parameters, and appends them to the pem file.

openssl gendh >>

Now make the lot safe.

chmod 400*

That is it.. now you have CACert signed SSL solution for use with either Apache, Courier IMAP, Postfix, etc.. any application that requires a CRT/PEM/KEY/CSR file combination to work.