====== SSL Certificates ======

**General Information**

How to order and replace SSL certificates on popular Linux web servers. 

**Checklist**
  * Distro(s): Enterprise Linux 6
  * Webserver: Apache or Nginx

----

===== Create Request =====

Creating a legit CSR or self-signed certificate.

==== CSR ====

Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.

Generate a new CSR (Certificate Signing Request) and Private key
<code bash>
openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr
</code>

Generate a new CSR and use an existing Private Key
<code bash>
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
</code>

==== Self-Signed Cert ====

If this is for home or testing purposes, a self-signed certificate is good enough.

Create Self-Signed Cert that is good for 1 year
<code bash>
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt
</code>

----

===== Order Certificate =====

This step can be skipped if you created a self-signed certificate.

  * Visit a certificate authority; some popular ones are:
    * [[https://www.instantssl.com/|Comodo]]
    * [[https://www.digicert.com/|Digicert]]
    * [[https://www.geotrust.com/|GeoTrust]]
  * Submit an order request
    * The CA will need you to copy and paste the fingerprint of your CSR
  * Once approved, you will be e-mailed the official signed SSL Certificate

----

===== Update Web Server =====

  * Copy the received certificate to the web server
  * Update web server's ssl config file
    * Apache: /etc/httpd/conf.d/ssl.conf<code bash>SSLEngine on
SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt
SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key
SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt</code>
    * Nginx: /<nginx-root>/conf/nginx.conf<code bash>
ssl  on;
ssl_certificate      /<nginx-root>/conf/certs/MYSITE.crt;
ssl_certificate_key  /<nginx-root>/conf/certs/MYSITE.key;
ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;</code>
  * Test Config Syntax
    * Apache<code bash>apachectl configtest</code>
    * Nginx<code bash>nginx -t</code>
  * Reload Config File (graceful restart)
    * Apache<code bash>apachectl graceful</code>
      * Alternative<code bash>kill -SIGUSR1 <httpd-root-pid></code>
    * Nginx<code bash>/<nginx-root>/sbin/nginx -s reload</code>
  * Verify new certs<code bash>openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not</code>