X-Junk-Score: 0 [] X-KAS-Score: 0 [] From: "=?utf-8?B?0KHQv9C40YDQvtCy0LAg0JLQu9Cw0LTQuNGB0LvQsNCy0LAg0KHQtdGA0LPQtQ==?= =?utf-8?B?0LXQstC90LA=?= vspirova@skzd.rzd.ru" Received: from skzd-cggw-02.skzd.rzd.ru ([188.128.112.58] verified) by list.communigate.ru (CommuniGate Pro SMTP 6.3.7a) with ESMTP id 59344813 for cgatepro@list.communigate.ru; Tue, 15 Jun 2021 17:12:31 +0300 Received-SPF: pass receiver=mail.communigate.ru; client-ip=188.128.112.58; envelope-from=vspirova@skzd.rzd.ru DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=skzd.rzd.ru; s=mail; bh=hG5Y9Yinsfo0+qxNxWo/OLT0j+9KdoJedGrKxidp7YQ=; h=Content-Transfer-Encoding:Content-Type:To:From:Thread-Topic:MIME-Version: In-Reply-To:Message-Id:Date:Subject; b=H1PvuC39wD6m0k7PDIe4nT3hegqQSRoVnw/Ern aCVHFGERITbNDppBQR6vBslzdDEAzZu4DVxQBC1KX366n5wu1bkWCge2/gTXPL7w7gvi10s42FOO6 EPGTb4XC0LxmnbxrxA+3RCwLKEiN1e0WAREK+jNCU6EVBrWzgBPre8NU= Received: by skzd-cggw-02.skzd.rzd.ru (CommuniGate Pro PIPE 6.2.15) with PIPE id 22702383; Tue, 15 Jun 2021 17:12:18 +0300 Received: from [10.244.1.132] (HELO skzd.oao.rzd) by skzd-cggw-02.skzd.rzd.ru (CommuniGate Pro SMTP 6.2.15) with ESMTP id 22702385 for CGatePro@list.communigate.ru; Tue, 15 Jun 2021 17:12:13 +0300 Received: from [10.51.11.28] (account vspirova@skzd.rzd.ru) by skzd.rzd (CommuniGate Pro IMAP 6.2.15) with XMIT id 2599726 for CGatePro@list.communigate.ru; Tue, 15 Jun 2021 17:12:14 +0300 Subject: RE: [CGP] Updating TLS keys and certificates securely. Date: Tue, 15 Jun 2021 17:12:12 +0300 Message-Id: <02fc675712c58c41badf227978ef4c8c@uc.skzd.rzd> In-Reply-To: MIME-Version: 1.0 Thread-Topic: [CGP] Updating TLS keys and certificates securely. Priority: Normal Importance: normal X-MSMail-Priority: normal X-Priority: 3 Sensitivity: Normal Thread-Index: Addh8G/0nGYmQ4F5QqmPHFuUpDG1Ng== To: "CommuniGate Pro Russian Discussions" X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.18/1.54.12.34 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =D0=97=D0=B4=D1=80=D0=B0=D0=B2=D1=81=D1=82=D0=B2=D1=83=D0=B9=D1=82=D0=B5. CGP 6.2.15. =D0=9A=D0=BB=D0=B0=D1=81=D1=82=D0=B5=D1=80. 5000 =D0=BF=D0=BE= =D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D0=B5=D0=B9. =D0=A1=D0=BA=D0=BE=D1=80=D0=BE =D0=B7=D0=B0=D0=BA=D0=B0=D0=BD=D1=87=D0=B8= =D0=B2=D0=B0=D1=8E=D1=82=D1=81=D1=8F =D0=BA=D0=BB=D1=8E=D1=87=D0=B8. =D0=9F=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D0=B8 = =D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=B0=D1=8E=D1=82 =D0=BF=D0=BE SSL =D1=87=D0= =B5=D1=80=D0=B5=D0=B7 =D0=BC=D0=B0=D0=BF=D0=B8-=D0=BA=D0=BE=D0=BD=D0=BD=D0= =B5=D0=BA=D1=82=D0=BE=D1=80 =D0=B2 MS Outlook. =D0=9F=D0=BE=D0=B4=D1=81=D0=BA=D0=B0=D0=B6=D0=B8=D1=82=D0=B5, =D0=BF=D0=BE= =D0=B6=D0=B0=D0=BB=D1=83=D0=B9=D1=81=D1=82=D0=B0, =D0=BA=D0=B0=D0=BA =D0=B7= =D0=B0=D0=BC=D0=B5=D0=BD=D0=B8=D1=82=D1=8C =D1=81=D0=B5=D1=80=D1=82=D0=B8= =D1=84=D0=B8=D0=BA=D0=B0=D1=82=D1=8B =D1=81 =D0=BC=D0=B8=D0=BD=D0=B8=D0=BC= =D0=B0=D0=BB=D1=8C=D0=BD=D1=8B=D0=BC =D0=BF=D1=80=D0=BE=D1=81=D1=82=D0=BE= =D0=B5=D0=BC =D0=B4=D0=BB=D1=8F =D0=BD=D0=B8=D1=85? =D0=9F=D1=80=D0=B0=D0= =B2=D0=B8=D0=BB=D1=8C=D0=BD=D0=BE =D0=BB=D0=B8 =D1=8F =D0=BF=D0=BE=D0=BD=D0= =B8=D0=BC=D0=B0=D1=8E? 1. =D0=9F=D0=B5=D1=80=D0=B5=D0=B2=D0=B5=D1=81=D1=82=D0=B8 PKI Services =D0= =B2 =D1=82=D0=B5=D1=81=D1=82=D0=BE=D0=B2=D1=8B=D0=B9 =D1=80=D0=B5=D0=B6=D0= =B8=D0=BC. 2. =D0=91=D1=8B=D1=81=D1=82=D1=80=D0=B5=D0=BD=D1=8C=D0=BA=D0=BE =D1=83=D0= =B4=D0=B0=D0=BB=D0=B8=D1=82=D1=8C =D1=81=D1=82=D0=B0=D1=80=D1=8B=D0=B9 =D0= =BA=D0=BB=D1=8E=D1=87 =D0=B8 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0= =BA=D0=B0=D1=82 3.=D0=A1=D0=BE=D0=B7=D0=B4=D0=B0=D1=82=D1=8C =D0=B7=D0=B0=D0=BF=D1=80=D0=BE= =D1=81 =D0=BD=D0=B0 =D0=B2=D1=8B=D0=BF=D1=83=D1=81=D0=BA =D0=BD=D0=BE=D0=B2= =D0=BE=D0=B3=D0=BE =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0= =D1=82=D0=B0, =D0=B2=D1=8B=D0=BF=D1=83=D1=81=D1=82=D0=B8=D1=82=D1=8C =D0=B5= =D0=B3=D0=BE. 4. =D0=A3=D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=B8=D1=82=D1=8C =D0=BD=D0= =BE=D0=B2=D1=8B=D0=B9 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0= =B0=D1=82 5. =D0=9F=D0=B5=D1=80=D0=B5=D0=B2=D0=B5=D1=81=D1=82=D0=B8 PKI Services =D0= =B2 =D1=80=D0=B5=D0=B6=D0=B8=D0=BC Enable? =D0=9D=D0=B5 =D0=BD=D0=B0=D1=80=D1=83=D1=88=D0=B8=D1=82=D1=81=D1=8F =D0=BB= =D0=B8 =D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=BE=D1=81=D0=BF=D0=BE=D1=81=D0=BE= =D0=B1=D0=BD=D0=BE=D1=81=D1=82=D1=8C =D0=BF=D0=BE=D1=87=D1=82=D1=8B =D0=BF= =D1=80=D0=B8 =D1=8D=D1=82=D0=BE=D0=BC? =D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC, =D0=A1=D0=BF=D0=B8=D1=80=D0=BE=D0=B2=D0=B0 =D0=92=D0=BB=D0=B0=D0=B4=D0=B8= =D1=81=D0=BB=D0=B0=D0=B2=D0=B0 =D0=A1=D0=B5=D1=80=D0=B3=D0=B5=D0=B5=D0=B2= =D0=BD=D0=B0 =D0=A0=D0=BE=D1=81=D1=82=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=B8=D0=BD= =D1=84=D0=BE=D1=80=D0=BC=D0=B0=D1=86=D0=B8=D0=BE=D0=BD=D0=BD=D0=BE-=D0=B2= =D1=8B=D1=87=D0=B8=D1=81=D0=BB=D0=B8=D1=82=D0=B5=D0=BB=D1=8C=D0=BD=D1=8B=D0= =B9 =D1=86=D0=B5=D0=BD=D1=82=D1=80 =D0=9E=D0=90=D0=9E =D0=A0=D0=96=D0=94 Vspirova@skzd.rzd.ru=C2=A0 -----Original Message----- From: CommuniGate Pro Russian Discussions Sent: Tuesday, June 15, 2021 11:35 AM To: CommuniGate Pro Russian Discussions Subject: Re: [CGP] Updating TLS keys and certificates securely. Hello and welcome to the list. On 2021-06-15 10:57 , Fred. Zwarts F.Zwarts@KVI.nl wrote: > Last week our TLS certificate expired. In addition for a new > certificate a larger key-pair was needed. When we received the new > certificate we tried to configure the new certificate using the secure po= rt 9010. > However, halfway the procedure, the old certificate disappeared and > the new one was not yet present. So, we had to fall back to the > insecure port 8010 to complete the configuration of the new certificate. > We are unhappy with this for two reasons, first because now there has > been a short period in which the mail server was not accessible in a > secure way and, second, because we are a bit worried to have to enter > sensitive information (authentication) with a insecure connection. > > Probably, we did not follow the right procedure. From the > documentation it is not clear to us how we can keep using a secure > connection when updating key-pairs and certificate. Is it possible to > enter them in advance a specify a time when they will be activated? I > hope someone can enlighten us about the correct procedure. Yes, in the cases when both the private key and the certificate need to be = changed, a domain in CGPro is left without matching key-certificate pair an= d without SSL/TLS access. We plan to support multiple certificates for a do= main in future, but right now the built-in Test certificate should meet the= purpose of a temporary certificate - just don't forget to switch to Test i= n PKI settings before changing the key and certificate. Though, there's a c= atch with the Test certificate: browsers do not trust it by default. Also, if you have more than one domain on the server with TLS certs install= ed (even without an IP dedicated to those domains) then you can use those d= omains to access the administrative interface of other domains (it may be n= ecessary to provide auth data with full admin account name that includes th= e correct domain). You can also use CLI to set both the key and the cert in one request and we= have a script for that: https://www.communigate.ru/pub/stuff/noarch/domcert-pwd.pl Finally, regarding the access via the insecure port 8010: that should be li= mited to the local trusted network and the loopback address. You are suppos= ed to have ssh access to the remotely running server anyway and ssh can be = used to tunnel access to 127.0.0.1:8010 on the server. This is always nice = to have. BTW, the HTTPA sochet on 127.0.0.1 may be marked as having "Extern= al" SSL/TLS support, so connections through it are always considered secure= . A short digest in Russian: =D0=92=D0=BE=D0=BF=D1=80=D0=BE=D1=81 =D0=BE =D1=82=D0=BE=D0=BC, =D0=BA=D0= =B0=D0=BA =D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D1=8C=D0=BD=D0=BE =D1=81=D0= =BC=D0=B5=D0=BD=D0=B8=D1=82=D1=8C =D0=B2 =D0=B4=D0=BE=D0=BC=D0=B5=D0=BD=D0= =B5 =D0=BA=D0=BB=D1=8E=D1=87 =D0=B8 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0= =B8=D0=BA=D0=B0=D1=82 TLS =D0=BE=D0=B4=D0=BD=D0=BE=D0=B2=D1=80=D0=B5=D0=BC=D0=B5=D0=BD=D0=BD=D0=BE: = =D0=BF=D0=BE=D1=81=D0=BA=D0=BE=D0=BB=D1=8C=D0=BA=D1=83 =D1=8D=D1=82=D0=BE = =D0=BD=D0=B5=D0=BB=D1=8C=D0=B7=D1=8F =D1=81=D0=B5=D0=B9=D1=87=D0=B0=D1=81 = =D1=81=D0=B4=D0=B5=D0=BB=D0=B0=D1=82=D1=8C =D1=87=D0=B5=D1=80=D0=B5=D0=B7 W= ebAdmin =D0=B2 =D0=BE=D0=B4=D0=BD=D0=BE =D0=B4=D0=B5=D0=B9=D1=81=D1=82=D0= =B2=D0=B8=D0=B5, =D0=B4=D0=BE=D0=BC=D0=B5=D0=BD =D0=BE=D1=81=D1=82=D0=B0=D1= =91=D1=82=D1=81=D1=8F =D0=B1=D0=B5=D0=B7 =D0=BF=D0=B0=D1=80=D1=8B =D0=BA=D0= =BB=D1=8E=D1=87-=D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1= =82 =D0=B8 =D0=B5=D1=81=D1=82=D1=8C =D1=80=D0=B8=D1=81=D0=BA =D0=BF=D0=BE= =D1=82=D0=B5=D1=80=D1=8F=D1=82=D1=8C =D0=B1=D0=B5=D0=B7=D0=BE=D0=BF=D0=B0= =D1=81=D0=BD=D1=8B=D0=B9 =D0=B4=D0=BE=D1=81=D1=82=D1=83=D0=BF =D0=B2 WebAdm= in =D0=BF=D0=BE=D1=81=D1=80=D0=B5=D0=B4=D0=B8 =D0=BE=D0=BF=D0=B5=D1=80=D0= =B0=D1=86=D0=B8=D0=B8. =D0=92=D0=BE=D0=B7=D0=BC=D0=BE=D0=B6=D0=BD=D1=8B=D1=85 =D1=80=D0=B5=D1=88= =D0=B5=D0=BD=D0=B8=D0=B9 =D0=BD=D0=B5=D1=81=D0=BA=D0=BE=D0=BB=D1=8C=D0=BA= =D0=BE: =D0=B8=D1=81=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D0=BD= =D0=B8=D0=B5 =D0=B2=D1=81=D1=82=D1=80=D0=BE=D0=B5=D0=BD=D0=BD=D0=BE=D0=B3= =D0=BE =D1=82=D0=B5=D1=81=D1=82=D0=BE=D0=B2=D0=BE=D0=B3=D0=BE =D1=81=D0=B5= =D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=82=D0=B0, =D0=B8=D1=81=D0=BF= =D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D0=BD=D0=B8=D0=B5 =D0=B4=D1=80= =D1=83=D0=B3=D0=B8=D1=85 =D0=B4=D0=BE=D0=BC=D0=B5=D0=BD=D0=BE=D0=B2 =D1=81 = =D1=83=D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5=D0=BD=D0=BD=D1=8B=D0= =BC=D0=B8 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=82=D0= =B0=D0=BC=D0=B8 =D0=B4=D0=BB=D1=8F =D0=B4=D0=BE=D1=81=D1=82=D1=83=D0=BF=D0= =B0 =D0=B2 WebAdmin, =D0=B8=D1=81=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2= =D0=B0=D0=BD=D0=B8=D0=B5 CLI =D1=81=D0=BA=D1=80=D0=B8=D0=BF=D1=82=D0=B0 =D0= =B4=D0=BB=D1=8F =D1=81=D0=BC=D0=B5=D0=BD=D1=8B =D0=BA=D0=BB=D1=8E=D1=87=D0= =B0 =D0=B8 =D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=82=D0= =B0 =D0=B2 =D0=BE=D0=B4=D0=BD=D0=BE =D0=B4=D0=B5=D0=B9=D1=81=D1=82=D0=B2=D0= =B8=D0=B5, =D0=B8=D1=81=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D0= =BD=D0=B8=D0=B5 ssh =D1=82=D1=83=D0=BD=D0=BD=D0=B5=D0=BB=D0=B8=D1=80=D0=BE= =D0=B2=D0=B0=D0=BD=D0=B8=D1=8F =D0=B4=D0=BE =D0=BD=D0=B5=D1=88=D0=B8=D1=84= =D1=80=D0=BE=D0=B2=D0=B0=D0=BD=D0=BD=D0=BE=D0=B3=D0=BE =D0=BF=D0=BE=D1=80= =D1=82=D0=B0 WebAdmin. -- Best regards, Dmitry Akindinov ################################################################## =D0=92=D1=8B =D0=BF=D0=BE=D0=BB=D1=83=D1=87=D0=B8=D0=BB=D0=B8 =D1=8D=D1=82= =D0=BE =D1=81=D0=BE=D0=BE=D0=B1=D1=89=D0=B5=D0=BD=D0=B8=D0=B5 =D0=BF=D0=BE= =D1=82=D0=BE=D0=BC=D1=83, =D1=87=D1=82=D0=BE =D0=BF=D0=BE=D0=B4=D0=BF=D0=B8= =D1=81=D0=B0=D0=BD=D1=8B =D0=BD=D0=B0 =D1=81=D0=BF=D0=B8=D1=81=D0=BE=D0=BA = =D1=80=D0=B0=D1=81=D1=81=D1=8B=D0=BB=D0=BA=D0=B8 . =D0=A7=D1=82=D0=BE=D0=B1=D1=8B =D0=BE=D1=82=D0=BF=D0=B8=D1=81=D0=B0=D1=82= =D1=8C=D1=81=D1=8F, =D0=BE=D1=82=D0=BF=D1=80=D0=B0=D0=B2=D1=8C=D1=82=D0=B5 = =D1=81=D0=BE=D0=BE=D0=B1=D1=89=D0=B5=D0=BD=D0=B8=D0=B5 =D0=BD=D0=B0 =D0=B0= =D0=B4=D1=80=D0=B5=D1=81 =D0=A7=D1=82=D0=BE=D0=B1=D1=8B =D0=BF=D0=B5=D1=80=D0=B5=D0=BA=D0=BB=D1=8E= =D1=87=D0=B8=D1=82=D1=8C=D1=81=D1=8F =D0=B2 =D1=80=D0=B5=D0=B6=D0=B8=D0=BC = =D0=B4=D0=B0=D0=B9=D0=B4=D0=B6=D0=B5=D1=81=D1=82=D0=B0 - mailto: =D0=A7=D1=82=D0=BE=D0=B1=D1=8B =D0=BF=D0=B5=D1=80=D0=B5=D0=BA=D0=BB=D1=8E= =D1=87=D0=B8=D1=82=D1=8C=D1=81=D1=8F =D0=B2 =D0=B8=D0=BD=D0=B4=D0=B5=D0=BA= =D1=81=D0=BD=D1=8B=D0=B9 =D1=80=D0=B5=D0=B6=D0=B8=D0=BC - mailto: =D0=94=D0=BB=D1=8F =D0=B0=D0=B4=D0=BC=D0=B8=D0=BD=D0=B8=D1=81=D1=82=D1=80= =D0=B0=D1=82=D0=B8=D0=B2=D0=BD=D1=8B=D1=85 =D0=B7=D0=B0=D0=BF=D1=80=D0=BE= =D1=81=D0=BE=D0=B2 =D0=B0=D0=B4=D1=80=D0=B5=D1=81 =D0=90=D1=80=D1=85=D0=B8=D0=B2 =D1=81=D0=BF=D0=B8=D1=81=D0=BA=D0=B0: http:/= /list.communigate.ru/Lists/CGatePro/List.html