So, I got a SSL wildcart certificate for my primary domain not too long ago.
Getting ebox's certificates replaced wasn't too hard.
After chatting with bencer on IRC; I was told that if you *do not enable* "Services Certificates" that you should just be able to replace the .pem files in various locations with the proper keys without eBox replacing them on you with CA-generated certificates.
Messing around for a few hours, I got it all working, and here's how I did it.
OpenSSL isn't picky about what it finds in certificate files -- it's only looking for what it's interested in.
So, now knowing this, one can keep both the certificate and private key in a single .pem file.
What worked for me:
openssl x509 -in startssl.cert -text > header.pem && cat header.pem startssl.key > combined.pem
Alternatively, appending:
openssl x509 -in startssl.cert -text > combined.pem && cat startssl.key >> combined.pem
This will generate a .PEM file with a plaintext header (which is ignored) followed by the Certificate file, followed by the Private key file.
You can now use this combined.pem file to replace any of the eBox service certificates.
These files are stored in the following places: (owner.group, perms)
SMTP (postfix): /etc/postfix/sasl/postfix.pem (root.root, 0400)
IMAP (dovecot): /etc/dovecot/ssl/dovecot.pem (root.root, 0400)
POP3 (dovecot): /etc/dovecot/ssl/dovecot.pem (root.root, 0400)
XMPP (jabberd2): /etc/jabberd2/ebox.pem (jabber.jabber, 0644)
User Corner (apache2): /var/lib/ebox-usercorner/ssl/ssl.pem (ebox-usercorner.ebox-usercorner, 0400)
eBox Frontend (apache2): /var/lib/ebox/conf/ssl/ssl.pem (ebox.ebox, 0600)
Simply replacing these files and making sure the permissions matched the originals worked for me.
Of course, your milage may vary.
No mason templates were harmed in the making of this post.