Re-generating SSL certificates for ISPConfig

This is related to a new (critical) vurnurability affecting openSSL in debian 4.0
( see http://lists.debian.org/debian-security-announce/2008/msg00152.html ) .

Could someone be so kind as to give me input on my checklist:

This is not really ISPConfig's fault but I'm going to have to regenerate all ssl certificates on all systems.

So... for debian "perfect setup" what would I need to do?

1. regenerate SSL certificates for ISPConfig
2. regenerate SSL certificates for IMAP-SSL / POP3-SSL
3. Re-generate customer self-signed certificates. (ok, know how this is done)
4. re-generate keys for SSH (done with apt-get upgrade)

Anything else I might've missed?

How do I regenerate SSL certificates for 1 and 2?

 

That's a good question I was actually asking myself. Is ISPConfig using openssl from the installed Debian package or does it compile its own ?

Well I check in the setup2 script and you can see that the script is actually checking where the openssl command is (please Till and Falko correct me if I'm wrong) :

Code:

 echo
  echo "########## OPENSSL ##########"
  echo
  echo $q_openssl_check
  which openssl
  if [ $? != 0 ]; then
    error "openssl not found!";
  else
    log "openssl found: `which openssl`"
    echo OK
  fi

but I couldn't find where it actually use it, but I think we'll have to regenerate all our keys...

Falko, Till could you confirm ?

Thanks in advance
LeTic

 

I belive ispconfig uses its own install of openssl for ssl certs generated by ispconfig for sites.
What do you do about all the ssl certs that are already signed by a Certificate Authority?

 

ok thanks till, still not sure what to do about the other certs though that was already signed by a certificate authority. I can create new keys but then certs would have to still be resigned, correct?