John Bokma MexIT
freelance Perl programmer

Renewing a self-signed certificate

Wednesday, April 4, 2012 | 0 comments

Last month the self-signed certificate I created for postfix and dovecot on the virtual private server I use to host this site expired. I was made aware of this fact by the email client I use, Mozilla Thunderbird. Since I was quite busy and had no time to look into this I just made Thunderbird accept the expired certificate.

Today, after a well deserved short vacation, I had finally some time to catch up with things like this and created a new self-signed certificate on the VPS running Ubuntu. A transcript showing the commands I issued and the generated output follows:

# cd /etc/postfix
# mv postfix.cert postfix.cert.old
# mv postfix.key postfix.key.old
# openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 \
              -nodes -keyout postfix.key -keyform PEM -days 999 -x509
Generating a 2048 bit RSA private key
writing new private key to 'postfix.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:MX
State or Province Name (full name) [Some-State]:Veracruz
Locality Name (eg, city) []:Xalapa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Castle Amber
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []
# /etc/init.d/dovecot restart
 * Restarting IMAP/POP3 mail server dovecot                              [ OK ] 
# /etc/init.d/postfix restart
 * Stopping Postfix Mail Transport Agent postfix                         [ OK ] 
 * Starting Postfix Mail Transport Agent postfix                         [ OK ] 
# chmod 600 postfix.cert postfix.key
# rm postfix.cert.old postfix.key.old

Make sure that both generated files are only readable by root, i.e. don't forget the chmod 600.

Note that I did the clean up of the old files only after I had verified in Thunderbird that the new self-signed certificate works, after I had deleted the entries for the old one via "Preferences".

The new certificate expires the 29th of December, 2014, which I verified in MySQL as follows to be indeed 999 days from today, the 4th of April:

mysql> SELECT '2012-04-04' + INTERVAL 999 DAY AS expires;
| expires    |
| 2014-12-29 |
1 row in set (0.00 sec)

Also today

Please post a comment | read 0 comments | RSS feed