Upgrading SSL CSR / Certificate to SHA-256
Upgrading Certificate from SHA-1 to SHA-256
Google have announced they are accelerating the move from SHA-1
to SHA-256 hashing so from about November chrome may warn users
who visit a website using SHA-1. This probably means you will need
to update any signed certificates used with SurgeMail. Self signed
ones are not an issue (since they already generate warnings :-)
- Test your current certificate, connect with chrome
https://your.mail.server:7443, right click on the https: and
view the details of the certificate to see if it's sha-1 or
- Upgrade to surgemail 6.8b or later
- Make a copy of your ssl folder/files incase you make a
- Create a new 'csr' using the web interface (BUT DO
NOT delete your existing key file, it is fine as is!)
- Paste the csr into your signing authority website, and create
a new 'certificate'
- Paste your new certificate along with any intermediate
certificates into the certificate page in surgemail (make sure
the certificate itself is first in the list)
- Restart surgemail, and test the https link again.
- Note: If you use the same certificate on your website as
surgemail, then you may be doing this process for your web
server, if so then you would only need steps '3 and 6,7" from
above. If you do this for your web server and create a new
private key in the process, be sure to also copy the private key
into surgemail or you will get a miss match and it won't work.
- If using openssl directly to create a csr (instead of the
surgemail web admin interface) then use -sha256, e.g. openssl
req -sha256 -new -key /usr/local/surgemail/ssl/surge_cert.pem
-out request.csr To create the csr request.