How to create new SSL certificate for apache ??

chuck77 · 05-14-2003, 03:36 AM

Hi all. I am using redhat 7.1, apache 1.3-19, mod_ssl-2.8.5-0.7
openssl-0.9.6-13.

At the moment, the ssl certificate has expired. When user accessed the site, will prompt up requesting for certificate install.
The server certificate has expired. how can i go about renewing the server SSL certificate ?? Pls advise.

Mark

DavidPhillips · 05-15-2003, 12:01 AM

This really depends on a lot of things, like the actual file your using and how your apache is setup to name a couple

Here is how mine works.

find location of certificate from httpd.conf...

cat httpd.conf | grep SSLCertificateFile
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

mv the file to a backup file

mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server.crt.bak

create a new one..

cd /etc/httpd/conf
make testcert

answer questions as prompted to create the certificate

restart apache...

/etc/rc.d/init.d/httpd restart

bentz · 05-15-2003, 08:54 AM

I've never heard of that before... I use the openssl utility to regenerate the (self-signed, I presume) certificate:

openssl req -new /etc/httpd/conf/ssl.key/server.key -x509 -out /etc/httpd/conf/ssl.crt/server.crt

Then, restart apache: apachectl restart

DavidPhillips · 05-15-2003, 08:57 AM

that's the same thing basically.

However they have a Makefile that does it for you

bentz · 05-15-2003, 11:17 AM

Is the makefile standard on a RedHat 7.1 installation? It wasn't on my system... Just looking for the lowest common denominator to help this person out. Good to know, though.

DavidPhillips · 05-15-2003, 12:20 PM

Not sure but it's on mine

DavidPhillips · 05-15-2003, 01:09 PM

here is the contents of the makefile

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"

%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2

%.key:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > $@

%.csr: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -out $@

%.crt: %.key
umask 77 ; \
/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@

KEY=/etc/httpd/conf/ssl.key/server.key
CSR=/etc/httpd/conf/ssl.csr/server.csr
CRT=/etc/httpd/conf/ssl.crt/server.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)

DavidPhillips · 05-15-2003, 01:16 PM

Also if you have this you can use

make server.crt

it will not install the files, but it will put them in the current folder and they will be encrypted

I use make testcert because that's all there is to it. the files are installed, and there's no need to enter a password when you start apache