[Dev] certificates have been renewed

Nicolás Reynolds fauno at kiwwwi.com.ar
Thu Feb 21 18:13:13 GMT 2013

Michał Masłowski <mtjm at mtjm.eu> writes:

>>> postfix on repo should be.
>> have you restarted it?
> It uses these files:
> -rw------- 1 root root 3247 Sep 28  2011 /etc/ssl/private/mail.parabolagnulinux.org.key
> -rw-r--r-- 1 root root 1830 Sep 28  2011 /etc/ssl/certs/mail.parabolagnulinux.org.crt
> This doesn't suggest them being updated, we could remove them and use
> the *.parabolagnulinux.org certificates.

no, i just renewed the keys i mentioned

> Dovecot is configured to use it too, although with all protocols
> disabled it's not needed (it provides only authentication for Postfix).
>>> Do we have a policy of replacing private keys?
>> i didn't replace them, but we have a key per host while we can have just
>> a parabola key (easier on configs?).  what are you thinking?
> We could have one key pair at once on both servers, renew the public key
> once per six months and replace the private key once or twice per year.
> Having more than one key per server leads to forgotten keys like the
> mail one.  Two separate keys one for each server will have overlapping
> names, so they shouldn't be more secure than one key for both.

why would it be necessary to change keys? for security problems?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20130221/f72e439b/attachment.sig>

More information about the Dev mailing list