LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-14-2003, 04:36 AM   #1
chuck77
Member
 
Registered: Nov 2001
Location: singapore
Posts: 120

Rep: Reputation: 15
How to create new SSL certificate for apache ??


Hi all. I am using redhat 7.1, apache 1.3-19, mod_ssl-2.8.5-0.7
openssl-0.9.6-13.

At the moment, the ssl certificate has expired. When user accessed the site, will prompt up requesting for certificate install.
The server certificate has expired. how can i go about renewing the server SSL certificate ?? Pls advise.

Mark
 
Old 05-15-2003, 01:01 AM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
This really depends on a lot of things, like the actual file your using and how your apache is setup to name a couple

Here is how mine works.

find location of certificate from httpd.conf...

cat httpd.conf | grep SSLCertificateFile
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

mv the file to a backup file

mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bak


create a new one..

cd /etc/httpd/conf
make testcert

answer questions as prompted to create the certificate


restart apache...

/etc/rc.d/init.d/httpd restart

Last edited by DavidPhillips; 05-15-2003 at 01:07 AM.
 
Old 05-15-2003, 09:54 AM   #3
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Rep: Reputation: 30
I've never heard of that before... I use the openssl utility to regenerate the (self-signed, I presume) certificate:

openssl req -new /etc/httpd/conf/ssl.key/server.key -x509 -out /etc/httpd/conf/ssl.crt/server.crt

Then, restart apache: apachectl restart
 
Old 05-15-2003, 09:57 AM   #4
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
that's the same thing basically.

However they have a Makefile that does it for you
 
Old 05-15-2003, 12:17 PM   #5
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Rep: Reputation: 30
Is the makefile standard on a RedHat 7.1 installation? It wasn't on my system... Just looking for the lowest common denominator to help this person out. Good to know, though.
 
Old 05-15-2003, 01:20 PM   #6
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
Not sure but it's on mine
 
Old 05-15-2003, 02:09 PM   #7
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
here is the contents of the makefile



.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"

%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2

%.key:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > $@

%.csr: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -out $@

%.crt: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@

KEY=/etc/httpd/conf/ssl.key/server.key
CSR=/etc/httpd/conf/ssl.csr/server.csr
CRT=/etc/httpd/conf/ssl.crt/server.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)
 
Old 05-15-2003, 02:16 PM   #8
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
Also if you have this you can use

make server.crt


it will not install the files, but it will put them in the current folder and they will be encrypted

I use make testcert because that's all there is to it. the files are installed, and there's no need to enter a password when you start apache

Last edited by DavidPhillips; 05-15-2003 at 02:22 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Certificate The_JinJ Linux - General 1 03-22-2005 12:46 AM
ssl-certificate twantrd Linux - General 1 03-31-2004 09:47 AM
apache-ssl certificate no good ocularbob Linux - Software 2 09-30-2003 05:37 PM
How do I create a self signed SSL certificate? mongoose Linux - Software 2 04-15-2003 07:46 PM
2 certificate ssl in 1 server apache simquest Linux - Software 2 07-24-2002 12:47 PM


All times are GMT -5. The time now is 08:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration