Last month the self-signed certificate I created for
postfix and dovecot on the virtual
private server I use to host this site expired. I was made aware
of this fact by the email client I use, Mozilla Thunderbird. Since
I was quite busy and had no time to look into this I just made
Thunderbird accept the expired certificate.
Today, after a well deserved short vacation, I had finally some time to catch up with things like this and created a new self-signed certificate on the VPS running Ubuntu. A transcript showing the commands I issued and the generated output follows:
# cd /etc/postfix
# mv postfix.cert postfix.cert.old
# mv postfix.key postfix.key.old
# openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 \
-nodes -keyout postfix.key -keyform PEM -days 999 -x509
Generating a 2048 bit RSA private key
............................+++
........+++
writing new private key to 'postfix.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MX
State or Province Name (full name) [Some-State]:Veracruz
Locality Name (eg, city) []:Xalapa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Castle Amber
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:johnbokma.com
Email Address []:contact@johnbokma.com
# /etc/init.d/dovecot restart
* Restarting IMAP/POP3 mail server dovecot [ OK ]
# /etc/init.d/postfix restart
* Stopping Postfix Mail Transport Agent postfix [ OK ]
* Starting Postfix Mail Transport Agent postfix [ OK ]
# chmod 600 postfix.cert postfix.key
# rm postfix.cert.old postfix.key.old
Make sure that both generated files are only readable by
root, i.e. don't forget the chmod
600.
Note that I did the clean up of the old files only after I had verified in Thunderbird that the new self-signed certificate works, after I had deleted the entries for the old one via "Preferences".
The new certificate expires the 29th of December, 2014, which I verified in MySQL as follows to be indeed 999 days from today, the 4th of April:
mysql> SELECT '2012-04-04' + INTERVAL 999 DAY AS expires;
+------------+
| expires |
+------------+
| 2014-12-29 |
+------------+
1 row in set (0.00 sec)