Renewing a Self-Signed SSL certificate

The SSL cert expired on my Subversion server and while not detrimental to my users or security, it was giving an eyebrow raising warning. The certs are only good for 365 days and have to be recreated. The quickest solution, especially since ours is for internal use, is to just recreate the self-signed certs.

First, check to see the path of the current cert/key (if any). We want the paths of SSLCertificateFile and SSLCertificateKeyFile:

[root@SVN ~]# grep SSLCertificate /etc/httpd/conf.d/ssl.conf 
# Point SSLCertificateFile at a PEM encoded certificate.  If
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
#   Point SSLCertificateChainFile at a file containing the
#   the referenced file can be the same as SSLCertificateFile
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

 
Now generate the new CSR and remember the password you enter:

[root@SVN ~]# openssl req -new > new.ssl.csr
Generating a 1024 bit RSA private key
.....................++++++
.........................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase: Enter pass phrase
Verifying - Enter PEM pass phrase: Reenter pass phrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:Your_City
Organization Name (eg, company) [My Company Ltd]:Widgets R Us!
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []:SVN
Email Address []:your@email.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: blank
An optional company name []: blank

 

The command created two new files.

[root@SVN ~]# ls
new.ssl.csr  privkey.pem

 

Now generate the key using the previous password.

[root@SVN ~]# openssl rsa -in privkey.pem -out ca.key
Enter pass phrase for privkey.pem: Enter pass phrase
writing RSA key

 

The created key.

[root@SVN ~]# ls
ca.key  new.ssl.csr  privkey.pem

 

Now generate the certificate.

[root@SVN ~]# openssl x509 -in new.ssl.csr -out ca.crt -req -signkey ca.key -days 365
Signature ok
subject=/C=US/ST=CA/L=Your_City/O=Widgets R Us!/OU=IT Department/CN=SVN/emailAddress= 
your@email.com
Getting Private key

 

Change the permissions so the key is not world readable.

[root@SVN ~]# chmod 600 ca.key
[root@SVN ~]# ll
total 2030528
-rw-r--r-- 1 root root        981 Oct 17 10:03 ca.cert
-rw------- 1 root root        887 Oct 17 10:01 ca.key
-rw-r--r-- 1 root root        951 Oct 17 09:59 privkey.pem

 

Now move the keys to the proper location and restart the web server.

[root@SVN ~]# mv ca.crt /etc/pki/tls/certs/ca.crt 
mv: overwrite `/etc/pki/tls/certs/ca.crt'? y
[root@SVN ~]# mv ca.key /etc/pki/tls/private/ca.key 
mv: overwrite `/etc/pki/tls/private/ca.key'? y
[root@SVN ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Leave a Reply

Your email address will not be published. Required fields are marked *