[Pkg-exim4-users] regenerating certificates
Ross Boylan
ross at biostat.ucsf.edu
Fri May 16 03:29:08 UTC 2008
Thanks to the recent openssl problems I reran exim-gencert (with
--force). Is the "unable to write 'random state'" message shown below
cause for concern?
--------------------------------------------------
corn:/etc/exim4# /usr/share/doc/exim4-base/examples/exim-gencert --force
[*] Creating a self signed SSL certificate for Exim!
This may be sufficient to establish encrypted connections but for
secure identification you need to buy a real certificate!
Please enter the hostname of your MTA at the Common Name (CN)
prompt!
Generating a 1024 bit RSA private key
.....++++++
..++++++
unable to write 'random state'
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
[etc]
----------------------------------------------------
Things seemed to run OK, and I have new certificates. I don't see
mention of this error message in the exim-gencert code or the openssl
man page.
I have some related questions as well.
Does exim have any other certificates or anything else that needs to be
regenerated because of the openssl problems? I realize peer systems may
also need updates, and that other mail software (e.g., IMAP servers) may
have their own problems. My question is about exim itself.
While looking at exim-gencert I found these lines:
openssl req -config $SSLEAY -x509 -newkey rsa:1024 -keyout $KEY -out
$CERT -days $DAYS -nodes
#see README.Debian.gz*# openssl dhparam -check -text -5 512 -out $DH
rm -f $SSLEAY
Is the commented out line a reference to README.Debian's section 2.2.3
discussion of Diffie-Hellman parameters? When I was trying to find the
relevant section I searched on dhparam and found nothing.
Thanks.
Ross Boylan
More information about the Pkg-exim4-users
mailing list