by Wim Kerkhoff

Trying to get a server certificate that has been self signed using your own Root CA to be nicely accepted by clients can be tricky. I've got it going on though, so that HTTP, POP3, IMAP, and SMTP are protected using SSL and my self signed server certificate. ssl_root_ca_old|HTTP is protected using mod_ssl, but everything else is done using stunnel. S/MIME (encryption, description, signing, verification) is working perfectly using my own Root CA. Here are the instructions for Outlook Express; they should be detailed enough to help with out applications that require them as well. Importing the certificate in OE will be enough for IE to be happy as well.

For the old way, using manual openssl commands, see this. The SSL.CA toolkit can also be downloaded from:

1. On the server, create the Root CA and Server Certificate

Download this handy toolkit and install it:

cd /tmp
tar xvfz 
mv /usr/local/
cd /usr/local/

To create the Root CA:


Answer all the questions for the Root CA (Certificate Authority). Defaults are make a lot of sense though.

And that's it! These shell scripts have easy names. I found this method to be a LOT easier then what the OpenSSL documentation recommends.

2. Create the Server Certificate:


Answer all the questions for the Server Certificate. Defaults should help explain what each option is. Then sign the certificate request (CRL) using your Root CA:


Enter the passphrase you set up for the Root CA...

Creation of a unified PEM version of the server's certificate and private key is necessary for many applications. It is as simple as concatenating the two together:

cd /usr/local/
cat >

3. Create a PKCS#7 format of the Root CA's public certificate:

This will allow clients to easily import it into their their PKI storage places, such as Outlook Express and Netscape.

cd /usr/local/
openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7

ca.pkcs7 will only contain the public portion of the CA's certificate, so you can email it to whomever with instructions on how to import it, put it up for download, or whatever.

4. Install and configure stunnel:

Stunnel is the tool that takes care of creating SSL tunnels for a variety of scenarios.

apt-get install stunnel

I create an /etc/rc.boot/stunnel script, which creates all the required tunnels:

# connect localhost:imaps to localhost:imap to secure Cyrus IMAP server
/usr/sbin/stunnel -d imaps -r localhost:imap -p /etc/stunnel/server.pem
# connect localhost:pop3s to localhost:
/usr/sbin/stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/server.pem

# connect localhost:ssmtp (SMTP over SSL) to localhost
/usr/sbin/stunnel -d ssmtp -r localhost:smtp -p /etc/stunnel/server.pem

Check that stunnel is running. You should see 3 parent stunnel process, with varying number of forked off children. This means that now the plain text ports IMAP (143), POP3 (110), and SMTP (25) are have SSL versions now. Check /etc/services for their actual port numbers if in doubt.

5. On the client (OE) side

Go to Options -> Security -> Digital IDs. Click Import, and select your ca.pkcs7 file. It should say something to the effect that it imported successfully. Also in OE, for each account that is pointed at this server, ensure that that "Incoming Mail" option is exactly the name of the server that is in your server certificate. For example, or, not If you are wanting to do secure SMTP, the same goes for that.

6. To create a User Certificate:

User certificates are handy for digitally signing and/or encrypting emails, authenticating users connecting via SSL to your website, etc. The same SSL toolkit can help you with this.

cd /usr/local/

Answer all the questions, then sign this request:


Combine the user certificate and private key into a unified PEM format file:

cat user\ user\ > user\

Convert this new PEM file into PKCS#12 format, so the OE can import it nicely:

openssl crl2pkcs7 \
       -nocrl -certfile user\ \
       -outform DER -out user.domain.public.pkcs7

Then Import this into Outlook Express / Netscape Mail like we did for the Root CA above, and you should now be able to Sign and/or Encrypt your emails!

user.domain.public.pkcs7 will actually be seldom used. Other people can obtain your public certificate if you simply send them a signed (not encrypted) message.

7. Make Netscape approve all certificates signed by your Root CA:

Netscape Communicator 4.x (under Linux anyways) has some really clunky PKI tools. Go to Communicator -> Tools -> Security Info -> Signers, and select your Root CA. Click Edit, and scroll down to the Approval checkboxes.

8. Tell Apache/mod_ssl to use the new server Certificate and Key:

Locate and configure these options in httpd.conf:

SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key

9. Have Netscape automatically add the new root CA

Depending on your system, your server may not be suggesting the correct MIME type to browsers. If the MIME types are correct, you can put up a link to your Root CA (ca.pks7) on your site, so that people can click the link to import it into their trusted list of Certificate Authorities. If this is not happening, edit /etc/mime.types, and add a line like this, then restart Apache:

application/x-x509-ca-cert pkcs7

10. Decrypt private key, so that Apache can start automatically on system bootup without prompting for the passphrase:

mv server.key
openssl rsa -in -out server.key
chown 400 server.key

Related links

Sites that link to here

See also SSL, Linux, Apache, Networking