Differences
This shows you the differences between two versions of the page.
linux_wiki:ssl_certificates [2015/10/04 00:41] billdozor created |
linux_wiki:ssl_certificates [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== SSL Certificates ====== | ||
- | **General Information** | ||
- | |||
- | How to order and replace SSL certificates on popular Linux web servers. | ||
- | |||
- | **Checklist** | ||
- | * Distro: Enterprise Linux 6 | ||
- | * Webserver: Apache or Nginx | ||
- | |||
- | ---- | ||
- | |||
- | ===== Create Request ===== | ||
- | |||
- | Creating a legit CSR or self-signed certificate. | ||
- | |||
- | ==== CSR ==== | ||
- | |||
- | Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped. | ||
- | |||
- | Generate a new CSR (Certificate Signing Request) and Private key | ||
- | <code bash> | ||
- | openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr | ||
- | </ | ||
- | |||
- | Generate a new CSR and use an existing Private Key | ||
- | <code bash> | ||
- | openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr | ||
- | </ | ||
- | |||
- | ==== Self-Signed Cert ==== | ||
- | |||
- | If this is for home or testing purposes, a self-signed certificate is good enough. | ||
- | |||
- | Create Self-Signed Cert that is good for 1 year | ||
- | <code bash> | ||
- | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Order Certificate ===== | ||
- | |||
- | This step can be skipped if you created a self-signed certificate. | ||
- | |||
- | * Visit a certificate authority; some popular ones are: | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * Submit an order request | ||
- | * The CA will need you to copy and paste the fingerprint of your CSR | ||
- | * Once approved, you will be e-mailed the official signed SSL Certificate | ||
- | |||
- | ---- | ||
- | |||
- | ===== Update Web Server ===== | ||
- | |||
- | * Copy the received certificate to the web server | ||
- | * Update web server' | ||
- | * Apache: / | ||
- | * <code bash> | ||
- | SSLCertificateFile / | ||
- | SSLCertificateKeyFile / | ||
- | SSLCertificateChainFile / | ||
- | * Nginx: /< | ||
- | * <code bash> | ||
- | ssl on; | ||
- | ssl_certificate | ||
- | ssl_certificate_key | ||
- | ssl_client_certificate /< | ||
- | * Test Config Syntax | ||
- | * Apache | ||
- | * <code bash> | ||
- | * Nginx | ||
- | * Nginx will test for a valid config file when the master process receives the " | ||
- | * Reload Config File (graceful restart) | ||
- | * Apache | ||
- | * <code bash> | ||
- | * Alternative | ||
- | * <code bash> | ||
- | * Nginx | ||
- | * <code bash>/< | ||
- | * Verify new certs | ||
- | * <code bash> |