Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-14-2003, 03:36 AM
|
#1
|
Member
Registered: Nov 2001
Location: singapore
Posts: 120
Rep:
|
How to create new SSL certificate for apache ??
Hi all. I am using redhat 7.1, apache 1.3-19, mod_ssl-2.8.5-0.7
openssl-0.9.6-13.
At the moment, the ssl certificate has expired. When user accessed the site, will prompt up requesting for certificate install.
The server certificate has expired. how can i go about renewing the server SSL certificate ?? Pls advise.
Mark
|
|
|
05-15-2003, 12:01 AM
|
#2
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
This really depends on a lot of things, like the actual file your using and how your apache is setup to name a couple
Here is how mine works.
find location of certificate from httpd.conf...
cat httpd.conf | grep SSLCertificateFile
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
mv the file to a backup file
mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bak
create a new one..
cd /etc/httpd/conf
make testcert
answer questions as prompted to create the certificate
restart apache...
/etc/rc.d/init.d/httpd restart
Last edited by DavidPhillips; 05-15-2003 at 12:07 AM.
|
|
|
05-15-2003, 08:54 AM
|
#3
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Rep:
|
I've never heard of that before... I use the openssl utility to regenerate the (self-signed, I presume) certificate:
openssl req -new /etc/httpd/conf/ssl.key/server.key -x509 -out /etc/httpd/conf/ssl.crt/server.crt
Then, restart apache: apachectl restart
|
|
|
05-15-2003, 08:57 AM
|
#4
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
that's the same thing basically.
However they have a Makefile that does it for you
|
|
|
05-15-2003, 11:17 AM
|
#5
|
Member
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362
Rep:
|
Is the makefile standard on a RedHat 7.1 installation? It wasn't on my system... Just looking for the lowest common denominator to help this person out. Good to know, though.
|
|
|
05-15-2003, 12:20 PM
|
#6
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
Not sure but it's on mine
|
|
|
05-15-2003, 01:09 PM
|
#7
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
here is the contents of the makefile
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@
KEY=/etc/httpd/conf/ssl.key/server.key
CSR=/etc/httpd/conf/ssl.csr/server.csr
CRT=/etc/httpd/conf/ssl.crt/server.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)
|
|
|
05-15-2003, 01:16 PM
|
#8
|
LQ Guru
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163
Rep:
|
Also if you have this you can use
make server.crt
it will not install the files, but it will put them in the current folder and they will be encrypted
I use make testcert because that's all there is to it. the files are installed, and there's no need to enter a password when you start apache
Last edited by DavidPhillips; 05-15-2003 at 01:22 PM.
|
|
|
All times are GMT -5. The time now is 08:04 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|