One of my web servers sent me this email this morning:
Subject: The certificate for ServerName.com has expired ################# SSL Certificate Warning ################ Certificate for hostname 'ServerName.com', in file (or by nickname): /etc/pki/tls/certs/server.crt The certificate needs to be renewed; this can be done using the 'genkey' program. Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed. ########################################################## Generated by certwatch(1)
The only problem is that the server lied. š You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.
Step 1: Verify Your Current Certificate Directives
If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:
grep SSLCertificate /etc/httpd/conf.d/ssl.conf
You should get something like:
# Point SSLCertificateFile at a PEM encoded certificate. If SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key # Point SSLCertificateChainFile at a file containing the # the referenced file can be the same as SSLCertificateFile #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.
Next, take note of the permissions of those two files:
ls -lh /etc/pki/tls/certs/server.crt -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt ls -lh /etc/pki/tls/private/server.key -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key
They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.
Step 2: Create the New Self-Signed CertificateĀ and Key Files
Type the following:
openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key
Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.
Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:
chmod 600 /etc/pki/tls/certs/server.crt chmod 600 /etc/pki/tls/private/server.key
Step 3: Restart Your Web Server
Type service httpd restart to restart your web server and tell it to use the new certificate files.
You’re done!