I am currently available as a freelance Senior Perl Programmer. Download my up-to-date resume (PDF)
John Bokma MexIT
freelance Perl programmer

Renewing a self-signed certificate

Wednesday, April 4, 2012 | 0 comments

Last month the self-signed certificate I created for postfix and dovecot on the virtual private server I use to host this site expired. I was made aware of this fact by the email client I use, Mozilla Thunderbird. Since I was quite busy and had no time to look into this I just made Thunderbird accept the expired certificate.

Today, after a well deserved short vacation, I had finally some time to catch up with things like this and created a new self-signed certificate on the VPS running Ubuntu. A transcript showing the commands I issued and the generated output follows:

# cd /etc/postfix
# mv postfix.cert postfix.cert.old
# mv postfix.key postfix.key.old
# openssl req -new -outform PEM -out postfix.cert -newkey rsa:2048 \
              -nodes -keyout postfix.key -keyform PEM -days 999 -x509
Generating a 2048 bit RSA private key
............................+++
........+++
writing new private key to 'postfix.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MX
State or Province Name (full name) [Some-State]:Veracruz
Locality Name (eg, city) []:Xalapa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Castle Amber
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:johnbokma.com
Email Address []:contact@johnbokma.com
# /etc/init.d/dovecot restart
 * Restarting IMAP/POP3 mail server dovecot                              [ OK ] 
# /etc/init.d/postfix restart
 * Stopping Postfix Mail Transport Agent postfix                         [ OK ] 
 * Starting Postfix Mail Transport Agent postfix                         [ OK ] 
# chmod 600 postfix.cert postfix.key
# rm postfix.cert.old postfix.key.old

Make sure that both generated files are only readable by root, i.e. don't forget the chmod 600.

Note that I did the clean up of the old files only after I had verified in Thunderbird that the new self-signed certificate works, after I had deleted the entries for the old one via "Preferences".

The new certificate expires the 29th of December, 2014, which I verified in MySQL as follows to be indeed 999 days from today, the 4th of April:

mysql> SELECT '2012-04-04' + INTERVAL 999 DAY AS expires;
+------------+
| expires    |
+------------+
| 2014-12-29 |
+------------+
1 row in set (0.00 sec)

Also today

Please post a comment | read 0 comments | RSS feed