Blog‎ > ‎

Renewed server SSL cert & configuration

posted Sep 21, 2014, 6:25 AM by Sami Lehtinen   [ updated Sep 21, 2014, 6:55 AM ]
Renewed my server certs, new fingerprints are:

SHA-256 fingerprint:
BB:83:53:16:23:2D:A5:01:90:DA:2E:2C:51:D9:9A:64:66:F3:21:81:A0:95:CF:41:41:61:C3:D1:A3:00:15:2A

SHA-1 fingerprint:
A5:F8:E3:0F:3F:7B:EB:99:D3:4C:3D:09:39:4C:D0:86:C5:F6:D2:C6

These can be used for SMTP server cert fingerprinting, or you can use secure mode to communicate with my server, instead of opportunistic encryption without certificate authentication.

Cert is valid till 22.09.2015, as usual I also renewed private keys, and now whole cert chain is using SHA-2 / SHA-256. Also RSA keys are 4096 bit and Elliptic Curve keys are at least 256 bits. Ephemeral ECDHE or DHE session key negotiation is used whenever possible. But you'll see all that from SSL Report.

Now Qualys SSL LABS SSL Report nicely says that my server is A+ class.

I haven't yet bothered to configure DANE as one of my friends has done. Configuring DANE or OCSP would be nice, but I think weather is still too nice for that. But I have verified that my server properly uses DANE for domains which have it configured. So you can use tls_policy dane-only for such domains to verify that email isn't being sent without encryption.