I'm having trouble making certificates that work with courier. I used openssl to create a self-signed Certificate Authority certificate. Then I created a new certificate request and private key. Then I used my CA to sign the certificate request. Everything went fine and I can import the CA and the signed cert into Konqueror with no troubles. "openssl x509 -text" shows it as a perfectly valid certificate, properly signed, etc. But if I try and use it as imapd.pem courier refuses to accept any encrypted connections and I get "TLS start error" in kmail whenever I try and use STARTTLS.

I looked at the self-signed certificates that courier generates itself (as well as the ones created by the "mkimapdcert" command) and they contain a RSA PRIVATE KEY section at the top and a DH PARAMETERS section at the bottom. I looked at the mkimapdcert script and it uses "openssl req" to create a certificate and self-sign it at the same time. It also uses the "-keyout" switch to store the private key in the ".pem" file. Then it uses "openssl gendh" to append the DH parameters.

I used "openssl x509" and "openssl ca" to sign the certificate request and neither of them seem to have an option to stick the private key in their as well. I tried copying the private key that I created when I made the certificate request to the top of the pem file that was created by signed it and I ran the gendh command and appended it to the bottom of the cert I created but still courier isn't happy.

I've made sure that all the permissions on the cert I created match those of the certs courier creates (courier.root 600). How do you sign a certificate and install it so courier likes it? I know very little about certificates and am just following the openssl man pages.