# Certificates expired - including CA



## jontheil (Jun 6, 2016)

Hi list

I have lost the functionality of my mail servers (postfix and dovecot) as well as other servers due to expired certificates. These are all self-signed. Frankly, I have not kept notes of all configurations and methods. Though, I know for sure I have used some of the proposed methods at http://www.zytrax.com/tech/survival/ssl.html.
When I check the mail servers certificates with
`openssl x509 -in ca/certs/mailserver.pem -noout -purpose -dates`, I get

```
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
notBefore=Feb 10 20:05:02 2013 GMT
notAfter=Jan  5 20:05:02 2016 GMT
```
And for the CA certificate,
`openssl x509 -in ca/cacert.pem -noout -purpose -dates`gives

```
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
notBefore=Mar 24 00:49:52 2012 GMT
notAfter=Mar 24 00:49:52 2015 GMT
```
Of course, I have tried Google, but it is easy for me to figure out how to solve the issues. To begin with, a couple of links to really good howto pages might help. Otherwise some directions/instructions.

Any help is very much appreciated!

Best regards,
Jon Theil Nielsen
(FreeBSD 10.2-RELEASE AMD64)


----------

