1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

is it possible to extend date of certificate?

Discussion in 'General' started by edhunter, Jan 29, 2009.

  1. edhunter

    edhunter New Member

    Messages:
    72
    Thanks Received:
    7
    Hello guys :)

    I am using self signed certificate pair (.key and .crt) for my company's mail server. All personel has the .crt file imported and trusted in theirs mail clients.

    An year ago when I created the certs, it was only experimental, but it was ok and now all employer's computers are configured to send and receive mail through smtps and pop3s.

    Is there any chance to extend sertificate expirty date? Do I have to create new certificate?

    I'm a bit noob with ssl certificates.. and it didn't come to my mind that the certificate will expire after one year. Now I am facing the problem that very soon all users will become unable to use their emails. And my users are in different places and most of them dont have skills to reconfigure their mail clients.

    I am looking for a solution that doesnt require client actions...
    I hope it is possible :)

    10x in advance

    p.s. the mail server machine is with FreeBSD 7.1-RELEASE-p2 (i386)
    smtp - exim-4.69_2
    pop3 - dovecot-1.1.8
     
  2. trev

    trev New Member

    Messages:
    364
    Thanks Received:
    45
    You need to create a new certificate - and this time make the expiry date sufficiently far into the future that you won't be around when it expires again :)
     
    edhunter thanks for this.
  3. gilinko

    gilinko New Member

    Messages:
    416
    Thanks Received:
    52
    You can't extend a current time limitation of a signed certificate, you will have to create a new one. Do a google search for "Self signed certificates" and you will find thousands of howto's. The important part is when creating the new certificate is to add the --days parameter and set it to something large as 3650 (approximately 10 years validity)

    You users will still be able to fetch their emails and the link will still be ssl encrypted, but they will probably get a warning about an expired certificate.
     
    edhunter thanks for this.
  4. edhunter

    edhunter New Member

    Messages:
    72
    Thanks Received:
    7
    10x for the quick replies :>

    yep google was the place where i found how to create selfsigned certifciate, but i did the error to create it for 1 year... ( copy paste in a hurry:) )

    now i will be very carefull with --days :))
     
  5. tingo

    tingo Member

    Messages:
    986
    Thanks Received:
    97
    FWIW, think about how long you want to use your certificate before setting it to "many years". Why? Because a part of the security is that the certificate expires (of course somebody has to create a new one each time it expires, but that is a quite small job). Expiration is good for several things: - you can change to a newer / better crypto or certificate strength (if such has been developed in the mean time), - clients (users) gets a small reminder that certificates are something that they should think about (instead of just blindly accepting all questions on their machine with "YES" or "OK" button...)

    Well, you get the idea.