# is it possible to extend date of certificate?



## edhunter (Jan 29, 2009)

Hello guys 

I am using self signed certificate pair (.key and .crt) for my company's mail server. All personel has the .crt file imported and trusted in theirs mail clients.

An year ago when I created the certs, it was only experimental, but it was ok and now all employer's computers are configured to send and receive mail through smtps and pop3s.

Is there any chance to extend sertificate expirty date? Do I have to create new certificate?

I'm a bit noob with ssl certificates.. and it didn't come to my mind that the certificate will expire after one year. Now I am facing the problem that very soon all users will become unable to use their emails. And my users are in different places and most of them dont have skills to reconfigure their mail clients.

I am looking for a solution that doesnt require client actions...
I hope it is possible 

10x in advance

p.s. the mail server machine is with FreeBSD 7.1-RELEASE-p2 (i386)
smtp - exim-4.69_2
pop3 - dovecot-1.1.8


----------



## trev (Jan 29, 2009)

You need to create a new certificate - and this time make the expiry date sufficiently far into the future that you won't be around when it expires again


----------



## gilinko (Jan 29, 2009)

You can't extend a current time limitation of a signed certificate, you will have to create a new one. Do a google search for "Self signed certificates" and you will find thousands of howto's. The important part is when creating the new certificate is to add the _--days_ parameter and set it to something large as 3650 (approximately 10 years validity)

You users will still be able to fetch their emails and the link will still be ssl encrypted, but they will probably get a warning about an expired certificate.


----------



## edhunter (Jan 29, 2009)

10x for the quick replies :>

yep google was the place where i found how to create selfsigned certifciate, but i did the error to create it for 1 year... ( copy paste in a hurry )

now i will be very carefull with --days )


----------



## tingo (Jan 29, 2009)

FWIW, think about how long you want to use your certificate before setting it to "many years". Why? Because a part of the security is that the certificate expires (of course somebody has to create a new one each time it expires, but that is a quite small job). Expiration is good for several things: - you can change to a newer / better crypto or certificate strength (if such has been developed in the mean time), - clients (users) gets a small reminder that certificates are something that they should think about (instead of just blindly accepting all questions on their machine with "YES" or "OK" button...)

Well, you get the idea.


----------

