Follow

Create RSA-2048 Certificate for the SMTP Proxy

Applies to platform: UTM all
Last updated: 19th December 2017

This article explain how to configure an Endian UTM appliance to generate RSA-2048 certificate that must be used to communicate with external mail server.

Background

Recently, many E-mail server provider started requiring a RSA-2048 certificate for the communication (and especially during the STARTTLS phase), that is, a certificate encrypted using RSA encryption with a 2048 bits key, because keys with less that 2048 bits are now deemed insecure.

If you are unsure about the size of your certificates, use the following command:

root@endian:~ # openssl x509 -text -noout -in /etc/httpd/server.crt | grep bit

If the output contains (1024 bit), you should remove the old certificates and generate new ones, like explained in the remainder of this howto.

Step 1. Remove old certificates

To remove old, 1024-bit certificates, use the following command:

root@endian:~ # rm /etc/httpd/server.*

Step 2. Restart the HTTP daemon

root@endian:~ # jobcontrol restart httpd

Step 3. Restart the SMTP Proxy

If you use the SMTP Proxy, restart this as well to let it use the new certificate:

root@endian:~ # jobcontrol restart smtpscan

Check that everything is correct

To verify that the key is indeed a (2048 bit) instead of (1024 bit), you can use the same command used in the Background section and make sure that the output contains 2048 Bit. Additionally, you should also check that the CN of the certificate matches the hostname. In other words, the output of the two commands

root@endian:~ # hostname -f

and

root@endian:~ # openssl x509 -subject -noout -in /etc/httpd/server.crt

should match.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments