Hi all. I am using redhat 7.1, apache 1.3-19, mod_ssl-2.8.5-0.7
openssl-0.9.6-13.

At the moment, the ssl certificate has expired. When user accessed the site, will prompt up requesting for certificate install.
The server certificate has expired. how can i go about renewing the server SSL certificate ?? Pls advise.

Mark

This really depends on a lot of things, like the actual file your using and how your apache is setup to name a couple

Here is how mine works.

find location of certificate from httpd.conf...

cat httpd.conf | grep SSLCertificateFile
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

mv the file to a backup file

mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bak


create a new one..

cd /etc/httpd/conf
make testcert

answer questions as prompted to create the certificate


restart apache...

/etc/rc.d/init.d/httpd restart

I've never heard of that before... I use the openssl utility to regenerate the (self-signed, I presume) certificate:

openssl req -new /etc/httpd/conf/ssl.key/server.key -x509 -out /etc/httpd/conf/ssl.crt/server.crt

Then, restart apache: apachectl restart

that's the same thing basically.

However they have a Makefile that does it for you

Is the makefile standard on a RedHat 7.1 installation? It wasn't on my system... Just looking for the lowest common denominator to help this person out. Good to know, though.

Not sure but it's on mine

here is the contents of the makefile



.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"

%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2

%.key:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > $@

%.csr: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -out $@

%.crt: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@

KEY=/etc/httpd/conf/ssl.key/server.key
CSR=/etc/httpd/conf/ssl.csr/server.csr
CRT=/etc/httpd/conf/ssl.crt/server.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)

Also if you have this you can use

make server.crt


it will not install the files, but it will put them in the current folder and they will be encrypted

I use make testcert because that's all there is to it. the files are installed, and there's no need to enter a password when you start apache