linux_wiki:ssl_certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:ssl_certificates [2015/10/04 00:41]
billdozor created 		linux_wiki:ssl_certificates [2019/05/25 23:50]
Line 1: Line 1:
-====== SSL Certificates ====== 
  
-**General Information** 
- 
-How to order and replace SSL certificates on popular Linux web servers.  
- 
-**Checklist** 
-  * Distro: Enterprise Linux 6 
-  * Webserver: Apache or Nginx 
- 
----- 
- 
-===== Create Request ===== 
- 
-Creating a legit CSR or self-signed certificate. 
- 
-==== CSR ==== 
- 
-Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped. 
- 
-Generate a new CSR (Certificate Signing Request) and Private key 
-<code bash> 
-openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr 
-</code> 
- 
-Generate a new CSR and use an existing Private Key 
-<code bash> 
-openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr 
-</code> 
- 
-==== Self-Signed Cert ==== 
- 
-If this is for home or testing purposes, a self-signed certificate is good enough. 
- 
-Create Self-Signed Cert that is good for 1 year 
-<code bash> 
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt 
-</code> 
- 
----- 
- 
-===== Order Certificate ===== 
- 
-This step can be skipped if you created a self-signed certificate. 
- 
-  * Visit a certificate authority; some popular ones are: 
-    * [[https://www.instantssl.com/|Comodo]] 
-    * [[https://www.digicert.com/|Digicert]] 
-    * [[https://www.geotrust.com/|GeoTrust]] 
-  * Submit an order request 
-    * The CA will need you to copy and paste the fingerprint of your CSR 
-  * Once approved, you will be e-mailed the official signed SSL Certificate 
- 
----- 
- 
-===== Update Web Server ===== 
- 
-  * Copy the received certificate to the web server 
-  * Update web server's ssl config file 
-    * Apache: /etc/httpd/conf.d/ssl.conf 
-      * <code bash>SSLEngine on 
-SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt 
-SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key 
-SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt</code> 
-    * Nginx: /<nginx-root>/conf/nginx.conf 
-      * <code bash> 
-ssl  on; 
-ssl_certificate      /<nginx-root>/conf/certs/MYSITE.crt; 
-ssl_certificate_key  /<nginx-root>/conf/certs/MYSITE.key; 
-ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;</code> 
-  * Test Config Syntax 
-    * Apache 
-      * <code bash>apachectl configtest</code> 
-    * Nginx 
-      * Nginx will test for a valid config file when the master process receives the "reload" signal(in the next step). If it is valid, the new config will be used, if not, the old config continues to be used. 
-  * Reload Config File (graceful restart) 
-    * Apache 
-      * <code bash>apachectl graceful</code> 
-      * Alternative 
-        * <code bash>kill -SIGUSR1 <httpd-root-pid></code> 
-    * Nginx 
-      * <code bash>/<nginx-root>/sbin/nginx -s reload</code> 
-  * Verify new certs 
-    * <code bash>openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not</code> 
  • linux_wiki/ssl_certificates.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)