Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== SSL Certificates ====== **General Information** How to order and replace SSL certificates on popular Linux web servers. **Checklist** * Distro(s): Enterprise Linux 6 * Webserver: Apache or Nginx ---- ===== Create Request ===== Creating a legit CSR or self-signed certificate. ==== CSR ==== Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped. Generate a new CSR (Certificate Signing Request) and Private key <code bash> openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr </code> Generate a new CSR and use an existing Private Key <code bash> openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr </code> ==== Self-Signed Cert ==== If this is for home or testing purposes, a self-signed certificate is good enough. Create Self-Signed Cert that is good for 1 year <code bash> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt </code> ---- ===== Order Certificate ===== This step can be skipped if you created a self-signed certificate. * Visit a certificate authority; some popular ones are: * [[https://www.instantssl.com/|Comodo]] * [[https://www.digicert.com/|Digicert]] * [[https://www.geotrust.com/|GeoTrust]] * Submit an order request * The CA will need you to copy and paste the fingerprint of your CSR * Once approved, you will be e-mailed the official signed SSL Certificate ---- ===== Update Web Server ===== * Copy the received certificate to the web server * Update web server's ssl config file * Apache: /etc/httpd/conf.d/ssl.conf<code bash>SSLEngine on SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt</code> * Nginx: /<nginx-root>/conf/nginx.conf<code bash> ssl on; ssl_certificate /<nginx-root>/conf/certs/MYSITE.crt; ssl_certificate_key /<nginx-root>/conf/certs/MYSITE.key; ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;</code> * Test Config Syntax * Apache<code bash>apachectl configtest</code> * Nginx<code bash>nginx -t</code> * Reload Config File (graceful restart) * Apache<code bash>apachectl graceful</code> * Alternative<code bash>kill -SIGUSR1 <httpd-root-pid></code> * Nginx<code bash>/<nginx-root>/sbin/nginx -s reload</code> * Verify new certs<code bash>openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not</code> linux_wiki/ssl_certificates.txt Last modified: 2019/05/25 23:50(external edit)