Regenerating snakeoil SSL certificate
Either concurent with, or shortly after, upgrading to Hardy, the security system indicated that my ssh keys were generated by a version ssh-keygen that had a broken random number generator and that I had to regenerate them. I did that and ssh is now fine.
However, when my Evolution e-mail client connects to the internal Dovcot POP3 (SSL) server running on top of Postfix, it gives the message below (in italics). This is probably because the snakeoil certificate /etc/ssl/certs/ssl-cert-snakeoil.pem was generated with the same broken random number generator is is therefore blacklisted. This raises two questions:
- How does one regenerate the snakeoil default ssl certificate?
- Are there any consequences of regenerating it that will have to be handled?
The easiest path would be to allow Evolution to accept the certificate. But who wants a default SSL certificate that doesn't provide security?
My version of Ubuntu is:
Linux CERTIBY1 2.6.24-16-generic #1 SMP Thu Apr 10 12:47:45 UTC 2008 x86_64 GNU/Linux
Thanks for any help.
David
SSL Certificate check for certiby1:
Issuer: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
Subject: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
Fingerprint: a3:e2:b7:8b:c6:cb:9e:86:3e:5e:c2:0b:85:bf:4d:44
Signature: BAD
Re: Regenerating snakeoil SSL certificate
I have been digging into this more -- going through the security notices.
and learned that you can test for blacklisted certificates using openssl-vulnkey. It validated that my snakeoil certificates are not blacklisted (see below). Now I don't know what the problem is. Does anyone have ideas?
Thanks.
David
david@CERTIBY1:~$ openssl-vulnkey /etc/ssl/certs/ssl-cert-snakeoil.pem
Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/certs/ssl-cert-snakeoil.pem
david@CERTIBY1:~$ sudo openssl-vulnkey /etc/ssl/private/ssl-cert-snakeoil.key
Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/private/ssl-cert-snakeoil.key
Re: Regenerating snakeoil SSL certificate
If you ever find out how to do this, drop me a pm... I am also trying to figure it out.
Re: Regenerating snakeoil SSL certificate
I suggest that you just subscribe to this thread so that you automatically get informed when I, or someone else, solves it.
Re: Regenerating snakeoil SSL certificate
Since during installation process my system's time was incorrect (year 2002) where was errors like "your sertificate is expired" after. So I needed to regenerate them
I managed to regenerate default snakeoil certificate with folowing command:
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
and errors gone
Hope that will help
Re: Regenerating snakeoil SSL certificate
That worked perfectly. Thanks!