I had been getting reports from users of one domain handled by my Linux email server that email from/to a particular client they deal with had been getting delayed. When I checked the maillog files, I found references to "TLS errors" for that domain. When I discussed the problem with a tech support person for the other company, he said his company is using Exchange with a TLS connector and would prefer my server communicate using TLS with their server. He told me that the security certificate for my server had expired.
I didn't know how to check the expiration date until I found instructions
for checking the expiration at
Renew SSL certificate in RedHat 9.
Sugree, the author of
that webpage, suggested running the command openssl x509 -in
sendmail.pem -text | grep Not. The instructions were written for
a RedHat 9 system. When I ran the command, I saw the following
results.
# cd /usr/share/ssl/certs
[root@frostdragon certs]# openssl x509 -in sendmail.pem -text | grep Not
Not Before: Nov 9 21:26:57 2003 GMT
Not After : Nov 8 21:26:57 2004 GMT
The author then recommended using the command openssl x509 -in
sendmail.pem -text | grep Subject. It produced the following
results on my server.
[root@frostdragon certs]# openssl x509 -in sendmail.pem -text | grep Subject
Subject: C=US, ST=Maryland, L=Annapolis, O=MoonPoint, CN=frostdragon.com/emailAddress=support_999@frostdragon.com
Subject Public Key Info:
X509v3 Subject Key Identifier:
The information above will be needed when you generate a new certificate.
I deleted the /usr/share/ssl/certs/sendmail.pem file and generated
a new one with make sendmail.pem, which I ran from
/usr/share/ssl/certs. The bold text items are the responses I entered
to queries and repeat the information I saw when I ran openssl x509 -in
sendmail.pem -text | grep Subject.
[root@frostdragon certs]# make sendmail.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 ; \
cat $PEM1 > sendmail.pem ; \
echo "" >> sendmail.pem ; \
cat $PEM2 >> sendmail.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
...........++++++
..............................................++++++
writing new private key to '/tmp/openssl.Ipeqjd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Maryland
Locality Name (eg, city) [Newbury]:Annapolis
Organization Name (eg, company) [My Company Ltd]:MoonPoint
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:frostdragon.com
Email Address []:support_999@frostdragon.comWhen I then checked the expiration of the sendmail.pem certificate, I saw the following.
[root@frostdragon certs]# openssl x509 -in sendmail.pem -text | grep Not
Not Before: Aug 8 02:41:22 2007 GMT
Not After : Aug 7 02:41:22 2008 GMTSo now I've got a certificate that is good for another year.
References:
-
Transport
Layer Security
Wikipedia, the free encyclopedia -
Renew SSL certificate in RedHat 9
By Sugree
howforge.com | Share Know-How
