Applies to platform: UTM all
Last updated: 19th December 2017
This article explain how to configure an Endian UTM appliance to generate RSA-2048 certificate that must be used to communicate with external mail server.
Recently, many E-mail server provider started requiring a RSA-2048 certificate for the communication (and especially during the STARTTLS phase), that is, a certificate encrypted using RSA encryption with a 2048 bits key, because keys with less that 2048 bits are now deemed insecure.
If you are unsure about the size of your certificates, use the following command:
root@endian:~ # openssl x509 -text -noout -in /etc/httpd/server.crt | grep bit
If the output contains (1024 bit), you should remove the old certificates and generate new ones, like explained in the remainder of this howto.
Step 1. Remove old certificates
To remove old, 1024-bit certificates, use the following command:
root@endian:~ # rm /etc/httpd/server.*
Step 2. Restart the HTTP daemon
root@endian:~ # jobcontrol restart httpd
Step 3. Restart the SMTP Proxy
If you use the SMTP Proxy, restart this as well to let it use the new certificate:
root@endian:~ # jobcontrol restart smtpscan
Check that everything is correct
To verify that the key is indeed a (2048 bit) instead of (1024 bit), you can use the same command used in the Background section and make sure that the output contains 2048 Bit. Additionally, you should also check that the CN of the certificate matches the hostname. In other words, the output of the two commands
root@endian:~ # hostname -f
root@endian:~ # openssl x509 -subject -noout -in /etc/httpd/server.crt