From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1BCE4138A1F for ; Wed, 16 Apr 2014 10:53:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 136C0E0BC7; Wed, 16 Apr 2014 10:53:11 +0000 (UTC) Received: from homiemail-a92.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by pigeon.gentoo.org (Postfix) with ESMTP id 071D0E09FF for ; Wed, 16 Apr 2014 10:53:09 +0000 (UTC) Received: from homiemail-a92.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a92.g.dreamhost.com (Postfix) with ESMTP id 180693DC05E for ; Wed, 16 Apr 2014 03:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=libertytrek.org; h= message-id:date:from:mime-version:to:subject:content-type: content-transfer-encoding; s=libertytrek.org; bh=znkebkOX3hQWFKM N8cnfISyV0gU=; b=FOd+fH2RpnJ2wo1Q96zlaOP83Hdxzt1u/lF9FoyZ1reV1R4 lhw6tLMWPMgIKu5spdfpus+6G2KZr/G9KWaXSKP2ZahATBN8B7lxFozDApWBzhiE D840apJgPO1wvKzwwq7pJOwWsVIL8u+0OH7jSW5Ne0FJyBzIxZO4kfwOaJeY= Received: from [192.168.1.62] (unknown [159.63.145.2]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: tanstaafl@libertytrek.org) by homiemail-a92.g.dreamhost.com (Postfix) with ESMTPSA id EF5E63DC05B for ; Wed, 16 Apr 2014 03:53:08 -0700 (PDT) Message-ID: <534E60E8.6050502@libertytrek.org> Date: Wed, 16 Apr 2014 06:52:24 -0400 From: Tanstaafl User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: fba499e4-096f-4e80-9425-3d86fda0b89e X-Archives-Hash: 696405e0619c68d05fbc66e2c0cb2f18 Hi all, I've taken this opportunity to prod the boss to let me buy some real certs for our few self-hosted mail services. Until now, we've used self-signed certs. My question is, what exactly is the correct procedure for doing this? Also, do I still need to do the step I've been seeing: Step: 2 Delete SSL key set Now, make out a list of websites that are equipped with SSL certificates. After that, delete all SSL keys, private and CSR key Finally, create a new private key and CSR key for each of your website. However, remember that your keys should be of 2048-bit key length. ? Or will simply replacing my self-signed certs with the new real ones be good enough? Thanks