[Pkg-exim4-users] regenerating certificates

Ross Boylan ross at biostat.ucsf.edu
Fri May 16 03:29:08 UTC 2008

Thanks to the recent openssl problems I reran exim-gencert (with
--force).  Is the "unable to write 'random state'" message shown below
cause for concern?
corn:/etc/exim4# /usr/share/doc/exim4-base/examples/exim-gencert --force
[*] Creating a self signed SSL certificate for Exim!
    This may be sufficient to establish encrypted connections but for
    secure identification you need to buy a real certificate!
    Please enter the hostname of your MTA at the Common Name (CN)
Generating a 1024 bit RSA private key
unable to write 'random state'
writing new private key to '/etc/exim4/exim.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.

Things seemed to run OK, and I have new certificates.  I don't see
mention of this error message in the exim-gencert code or the openssl
man page.

I have some related questions as well.

Does exim have any other certificates or anything else that needs to be
regenerated because of the openssl problems?  I realize peer systems may
also need updates, and that other mail software (e.g., IMAP servers) may
have their own problems.  My question is about exim itself.

While looking at exim-gencert I found these lines:
openssl req -config $SSLEAY -x509 -newkey rsa:1024 -keyout $KEY -out
$CERT -days $DAYS -nodes
#see README.Debian.gz*# openssl dhparam -check -text -5 512 -out $DH
rm -f $SSLEAY

Is the commented out line a reference to README.Debian's section 2.2.3
discussion of Diffie-Hellman parameters?  When I was trying to find the
relevant section I searched on dhparam and found nothing.

Ross Boylan

More information about the Pkg-exim4-users mailing list