[Dev] certificates have been renewed

Michał Masłowski mtjm at mtjm.eu
Thu Feb 21 17:00:17 GMT 2013

>> postfix on repo should be.
> have you restarted it?

It uses these files:
-rw------- 1 root root 3247 Sep 28  2011 /etc/ssl/private/mail.parabolagnulinux.org.key
-rw-r--r-- 1 root root 1830 Sep 28  2011 /etc/ssl/certs/mail.parabolagnulinux.org.crt

This doesn't suggest them being updated, we could remove them and use
the *.parabolagnulinux.org certificates.

Dovecot is configured to use it too, although with all protocols
disabled it's not needed (it provides only authentication for Postfix).

>> Do we have a policy of replacing private keys?
> i didn't replace them, but we have a key per host while we can have just
> a parabola key (easier on configs?).  what are you thinking?

We could have one key pair at once on both servers, renew the public key
once per six months and replace the private key once or twice per year.
Having more than one key per server leads to forgotten keys like the
mail one.  Two separate keys one for each server will have overlapping
names, so they shouldn't be more secure than one key for both.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20130221/d176aa43/attachment.sig>

More information about the Dev mailing list