[[linux_wiki:ssl_certificates]]

SSL Certificates

General Information

How to order and replace SSL certificates on popular Linux web servers.

Checklist

  • Distro(s): Enterprise Linux 6
  • Webserver: Apache or Nginx

Creating a legit CSR or self-signed certificate.

Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.

Generate a new CSR (Certificate Signing Request) and Private key

openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr

Generate a new CSR and use an existing Private Key

openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr

If this is for home or testing purposes, a self-signed certificate is good enough.

Create Self-Signed Cert that is good for 1 year

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt

This step can be skipped if you created a self-signed certificate.

  • Visit a certificate authority; some popular ones are:
  • Submit an order request
    • The CA will need you to copy and paste the fingerprint of your CSR
  • Once approved, you will be e-mailed the official signed SSL Certificate

  • Copy the received certificate to the web server
  • Update web server's ssl config file
    • Apache: /etc/httpd/conf.d/ssl.conf
      SSLEngine on
      SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt
      SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key
      SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
    • Nginx: /<nginx-root>/conf/nginx.conf
      ssl  on;
      ssl_certificate      /<nginx-root>/conf/certs/MYSITE.crt;
      ssl_certificate_key  /<nginx-root>/conf/certs/MYSITE.key;
      ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;
  • Test Config Syntax
    • Apache
      apachectl configtest
    • Nginx
      nginx -t
  • Reload Config File (graceful restart)
    • Apache
      apachectl graceful
      • Alternative
        kill -SIGUSR1 <httpd-root-pid>
    • Nginx
      /<nginx-root>/sbin/nginx -s reload
  • Verify new certs
    openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not
  • linux_wiki/ssl_certificates.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)