General Information
How to order and replace SSL certificates on popular Linux web servers.
Checklist
Creating a legit CSR or self-signed certificate.
Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.
Generate a new CSR (Certificate Signing Request) and Private key
openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr
Generate a new CSR and use an existing Private Key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
If this is for home or testing purposes, a self-signed certificate is good enough.
Create Self-Signed Cert that is good for 1 year
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt
This step can be skipped if you created a self-signed certificate.
SSLEngine on SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
ssl on; ssl_certificate /<nginx-root>/conf/certs/MYSITE.crt; ssl_certificate_key /<nginx-root>/conf/certs/MYSITE.key; ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;
apachectl configtest
nginx -t
apachectl graceful
kill -SIGUSR1 <httpd-root-pid>
/<nginx-root>/sbin/nginx -s reload
openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not