Renewing a Self-Signed SSL certificate

The SSL cert expired on my Subversion server and while not detrimental to my users or security, it was giving an eyebrow raising warning. The certs are only good for 365 days and have to be recreated. The quickest solution, especially since ours is for internal use, is to just recreate the self-signed certs.

First, check to see the path of the current cert/key (if any). We want the paths of SSLCertificateFile and SSLCertificateKeyFile:

[root@SVN ~]# grep SSLCertificate /etc/httpd/conf.d/ssl.conf 
# Point SSLCertificateFile at a PEM encoded certificate.  If
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
#   Point SSLCertificateChainFile at a file containing the
#   the referenced file can be the same as SSLCertificateFile
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Now generate the new CSR and remember the password you enter:

[root@SVN ~]# openssl req -new > new.ssl.csr
Generating a 1024 bit RSA private key
writing new private key to 'privkey.pem'
Enter PEM pass phrase: Enter pass phrase
Verifying - Enter PEM pass phrase: Reenter pass phrase
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:Your_City
Organization Name (eg, company) [My Company Ltd]:Widgets R Us!
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []:SVN
Email Address []
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: blank
An optional company name []: blank


The command created two new files.

[root@SVN ~]# ls
new.ssl.csr  privkey.pem


Now generate the key using the previous password.

[root@SVN ~]# openssl rsa -in privkey.pem -out ca.key
Enter pass phrase for privkey.pem: Enter pass phrase
writing RSA key


The created key.

[root@SVN ~]# ls
ca.key  new.ssl.csr  privkey.pem


Now generate the certificate.

[root@SVN ~]# openssl x509 -in new.ssl.csr -out ca.crt -req -signkey ca.key -days 365
Signature ok
subject=/C=US/ST=CA/L=Your_City/O=Widgets R Us!/OU=IT Department/CN=SVN/emailAddress=
Getting Private key


Change the permissions so the key is not world readable.

[root@SVN ~]# chmod 600 ca.key
[root@SVN ~]# ll
total 2030528
-rw-r--r-- 1 root root        981 Oct 17 10:03 ca.cert
-rw------- 1 root root        887 Oct 17 10:01 ca.key
-rw-r--r-- 1 root root        951 Oct 17 09:59 privkey.pem


Now move the keys to the proper location and restart the web server.

[root@SVN ~]# mv ca.crt /etc/pki/tls/certs/ca.crt 
mv: overwrite `/etc/pki/tls/certs/ca.crt'? y
[root@SVN ~]# mv ca.key /etc/pki/tls/private/ca.key 
mv: overwrite `/etc/pki/tls/private/ca.key'? y
[root@SVN ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Leave a Reply

Your email address will not be published. Required fields are marked *