Last month the self-signed certificate I created for
dovecot on the virtual
private server I use to host this site expired. I was made aware
of this fact by the email client I use, Mozilla Thunderbird. Since
I was quite busy and had no time to look into this I just made
Thunderbird accept the expired certificate.
Today, after a well deserved short vacation, I had finally some time to catch up with things like this and created a new self-signed certificate on the VPS running Ubuntu. A transcript showing the commands I issued and the generated output follows:
# cd /etc/postfix # mv postfix.cert postfix.cert.old # mv postfix.key postfix.key.old # openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 \ -nodes -keyout postfix.key -keyform PEM -days 999 -x509 Generating a 2048 bit RSA private key ............................+++ ........+++ writing new private key to 'postfix.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:MX State or Province Name (full name) [Some-State]:Veracruz Locality Name (eg, city) :Xalapa Organization Name (eg, company) [Internet Widgits Pty Ltd]:Castle Amber Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :johnbokma.com Email Address :firstname.lastname@example.org # /etc/init.d/dovecot restart * Restarting IMAP/POP3 mail server dovecot [ OK ] # /etc/init.d/postfix restart * Stopping Postfix Mail Transport Agent postfix [ OK ] * Starting Postfix Mail Transport Agent postfix [ OK ] # chmod 600 postfix.cert postfix.key # rm postfix.cert.old postfix.key.old
Make sure that both generated files are only readable by
root, i.e. don't forget the
Note that I did the clean up of the old files only after I had verified in Thunderbird that the new self-signed certificate works, after I had deleted the entries for the old one via "Preferences".
The new certificate expires the 29th of December, 2014, which I verified in MySQL as follows to be indeed 999 days from today, the 4th of April:
mysql> SELECT '2012-04-04' + INTERVAL 999 DAY AS expires; +------------+ | expires | +------------+ | 2014-12-29 | +------------+ 1 row in set (0.00 sec)