Re-generating SSL certificates for ISPConfig

Discussion in 'General' started by Norman, May 13, 2008.

  1. Norman

    Norman Member HowtoForge Supporter

    This is related to a new (critical) vurnurability affecting openSSL in debian 4.0
    ( see ) .

    Could someone be so kind as to give me input on my checklist:

    This is not really ISPConfig's fault but I'm going to have to regenerate all ssl certificates on all systems.

    So... for debian "perfect setup" what would I need to do?

    1. regenerate SSL certificates for ISPConfig
    2. regenerate SSL certificates for IMAP-SSL / POP3-SSL
    3. Re-generate customer self-signed certificates. (ok, know how this is done)
    4. re-generate keys for SSH (done with apt-get upgrade)

    Anything else I might've missed?

    How do I regenerate SSL certificates for 1 and 2?
  2. letic

    letic New Member

    That's a good question I was actually asking myself. Is ISPConfig using openssl from the installed Debian package or does it compile its own ?

    Well I check in the setup2 script and you can see that the script is actually checking where the openssl command is (please Till and Falko correct me if I'm wrong) :

      echo "########## OPENSSL ##########"
      echo $q_openssl_check
      which openssl
      if [ $? != 0 ]; then
        error "openssl not found!";
        log "openssl found: `which openssl`"
        echo OK
    but I couldn't find where it actually use it, but I think we'll have to regenerate all our keys...

    Falko, Till could you confirm ?

    Thanks in advance
  3. daveb

    daveb Member

    I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
    What do you do about all the ssl certs that are already signed by a Certificate Authority?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If I remember correctly, ISPConfig uses the openssl from the linux distribution to create the certificates. The openssl that is included in ISPConfig is only used for the sl encryption of the webserver on port 81.
  6. daveb

    daveb Member

    ok thanks till, still not sure what to do about the other certs though that was already signed by a certificate authority. I can create new keys but then certs would have to still be resigned, correct?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. If you create a new key, you will have to resign them.

Share This Page