a memo

Updating Your SSL Certificate

They're only valid for one year, see. But you have all the tools necessary to sign a fresh new one, you just need to know where to look...

OpenSSL is your friend


On a default install, Apache+mod_ssl puts all of its keys and certs in the apache/conf directory, so that's where we'll go to do our updating. As root, repeat after me:
  1. Use openssl to create a new Certificate Signing Request (csr)
    cd /usr/local/apache/conf/ssl.csr/
    openssl req -new -key ../ssl.key/server.key -out server.csr
  2. You can fill in whatever you want for most of the fields, but the "Common Name" must match your server's hostname, like so:
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:New York
    Locality Name (eg, city) []:New York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:CHXO Internet
    Organizational Unit Name (eg, section) []:Hosting
    Common Name (eg, YOUR name) []:berylium.psydeshow.org
  3. Now... you can either pay a commercial Certificate Authority to verify your identity and sign your .csr file, or you can sign it yourself. This is completely up to you, it really is. Self-signed certificates will not be implicitly trusted by most web browsers, so users will have to manually accept the certificate. But the data won't be any less secure. (Really the whole thing is a little silly, you should ask me about it I can rant for hours. It's all Verisign's fault, greedy bastards.)

  4. Use openssl to sign your csr. Since you are updating an existing cert, it is assumed that you generated your own Certificate Authority (CA) key and cert when you installed mod_ssl in the first place.
    cd /usr/local/apache/conf/ssl.crt
    cat >mkcert.cfg <<EOT
    extensions = x509v3
    [ x509v3 ]
    subjectAltName   = email:copy
    nsComment        = "hand generated custom server certificate"
    nsCertType       = server
    EOT
    date  +%s > mkcert.serial
    openssl x509 -extfile mkcert.cfg \
         -days 365 \
         -CAserial mkcert.serial \
         -CA    ./ca.crt \
         -CAkey ../ssl.key/ca.key \
         -in    ../ssl.csr/server.csr -req \
         -out   ./server.crt
  5. Verifiy the signature:
    openssl verify -CAfile ca.crt server.crt
  6. Okay, time to restart Apache... but you can't just restart, you have to stop, then sslstart:
    apachectl stop
    apachectl sslstart
  7. Close your browser to make it forget your old certificate... then connect to your site and check out your fresh new cert. w00t.

By Chris Snyder on September 30, 2003 at 10:13pm

permalink - uplink/email

jump to top