The SSL cert expired on my Subversion server and while not detrimental to my users or security, it was giving an eyebrow raising warning. The certs are only good for 365 days and have to be recreated. The quickest solution, especially since ours is for internal use, is to just recreate the self-signed certs.
First, check to see the path of the current cert/key (if any). We want the paths of SSLCertificateFile and SSLCertificateKeyFile:
[root@SVN ~]# grep SSLCertificate /etc/httpd/conf.d/ssl.conf # Point SSLCertificateFile at a PEM encoded certificate. If SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key # Point SSLCertificateChainFile at a file containing the # the referenced file can be the same as SSLCertificateFile #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
Now generate the new CSR and remember the password you enter:
[root@SVN ~]# openssl req -new > new.ssl.csr Generating a 1024 bit RSA private key .....................++++++ .........................................................++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Enter pass phrase Verifying - Enter PEM pass phrase: Reenter pass phrase ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:CA Locality Name (eg, city) [Newbury]:Your_City Organization Name (eg, company) [My Company Ltd]:Widgets R Us! Organizational Unit Name (eg, section) []:IT Department Common Name (eg, your name or your server's hostname) []:SVN Email Address []:your@email.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: blank An optional company name []: blank |
The command created two new files.
[root@SVN ~]# ls new.ssl.csr privkey.pem |
Now generate the key using the previous password.
[root@SVN ~]# openssl rsa -in privkey.pem -out ca.key Enter pass phrase for privkey.pem: Enter pass phrase writing RSA key |
The created key.
[root@SVN ~]# ls ca.key new.ssl.csr privkey.pem |
Now generate the certificate.
[root@SVN ~]# openssl x509 -in new.ssl.csr -out ca.crt -req -signkey ca.key -days 365 Signature ok subject=/C=US/ST=CA/L=Your_City/O=Widgets R Us!/OU=IT Department/CN=SVN/emailAddress= your@email.com Getting Private key |
Change the permissions so the key is not world readable.
[root@SVN ~]# chmod 600 ca.key [root@SVN ~]# ll total 2030528 -rw-r--r-- 1 root root 981 Oct 17 10:03 ca.cert -rw------- 1 root root 887 Oct 17 10:01 ca.key -rw-r--r-- 1 root root 951 Oct 17 09:59 privkey.pem |
Now move the keys to the proper location and restart the web server.
[root@SVN ~]# mv ca.crt /etc/pki/tls/certs/ca.crt mv: overwrite `/etc/pki/tls/certs/ca.crt'? y [root@SVN ~]# mv ca.key /etc/pki/tls/private/ca.key mv: overwrite `/etc/pki/tls/private/ca.key'? y [root@SVN ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] |