Upgrading SSL CSR / Certificate to SHA-256


Upgrading Certificate from SHA-1 to SHA-256

Google have announced they are accelerating the move from SHA-1 to SHA-256 hashing so from about November chrome may warn users who visit a website using SHA-1. This probably means you will need to update any signed certificates used with SurgeMail. Self signed ones are not an issue (since they already generate warnings :-)

  1.  Test your current certificate, connect with chrome https://your.mail.server:7443, right click on the https: and view the details of the certificate to see if it's sha-1 or sha-256
    Image of bad certificate
  2. Upgrade to surgemail 6.8b or later https://netwinsite.com/surgemail/betadownloads.htm
  3. Make a copy of your ssl folder/files incase you make a mistake.
  4.  Create a new 'csr' using the web interface (BUT DO NOT delete your existing key file, it is fine as is!)
  5. Paste the csr into your signing authority website, and create a new 'certificate'
  6. Paste your new certificate along with any intermediate certificates into the certificate page in surgemail (make sure the certificate itself is first in the list)
  7. Restart surgemail, and test the https link again.
    Correct certificate
  8. Note: If you use the same certificate on your website as surgemail, then you may be doing this process for your web server, if so then you would only need steps '3 and 6,7" from above. If you do this for your web server and create a new private key in the process, be sure to also copy the private key into surgemail or you will get a miss match and it won't work.
  9. If using openssl directly to create a csr (instead of the surgemail web admin interface) then use -sha256, e.g. openssl req -sha256 -new -key /usr/local/surgemail/ssl/surge_cert.pem -out request.csr To create the csr request.