====== SSL Certificates ======
**General Information**
How to order and replace SSL certificates on popular Linux web servers.
**Checklist**
* Distro(s): Enterprise Linux 6
* Webserver: Apache or Nginx
----
===== Create Request =====
Creating a legit CSR or self-signed certificate.
==== CSR ====
Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.
Generate a new CSR (Certificate Signing Request) and Private key
openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr
Generate a new CSR and use an existing Private Key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
==== Self-Signed Cert ====
If this is for home or testing purposes, a self-signed certificate is good enough.
Create Self-Signed Cert that is good for 1 year
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt
----
===== Order Certificate =====
This step can be skipped if you created a self-signed certificate.
* Visit a certificate authority; some popular ones are:
* [[https://www.instantssl.com/|Comodo]]
* [[https://www.digicert.com/|Digicert]]
* [[https://www.geotrust.com/|GeoTrust]]
* Submit an order request
* The CA will need you to copy and paste the fingerprint of your CSR
* Once approved, you will be e-mailed the official signed SSL Certificate
----
===== Update Web Server =====
* Copy the received certificate to the web server
* Update web server's ssl config file
* Apache: /etc/httpd/conf.d/ssl.confSSLEngine on
SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt
SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key
SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
* Nginx: //conf/nginx.conf
ssl on;
ssl_certificate //conf/certs/MYSITE.crt;
ssl_certificate_key //conf/certs/MYSITE.key;
ssl_client_certificate //conf/certs/MY-CA.crt;
* Test Config Syntax
* Apacheapachectl configtest
* Nginxnginx -t
* Reload Config File (graceful restart)
* Apacheapachectl graceful
* Alternativekill -SIGUSR1
* Nginx//sbin/nginx -s reload
* Verify new certsopenssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not