SSL Certificates
General Information
How to order and replace SSL certificates on popular Linux web servers.
Checklist
- Distro(s): Enterprise Linux 6
- Webserver: Apache or Nginx
Create Request
Creating a legit CSR or self-signed certificate.
CSR
Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.
Generate a new CSR (Certificate Signing Request) and Private key
openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr
Generate a new CSR and use an existing Private Key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
Self-Signed Cert
If this is for home or testing purposes, a self-signed certificate is good enough.
Create Self-Signed Cert that is good for 1 year
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt
Order Certificate
This step can be skipped if you created a self-signed certificate.
- Visit a certificate authority; some popular ones are:
- Submit an order request
- The CA will need you to copy and paste the fingerprint of your CSR
- Once approved, you will be e-mailed the official signed SSL Certificate
Update Web Server
- Copy the received certificate to the web server
- Update web server's ssl config file
- Apache: /etc/httpd/conf.d/ssl.conf
SSLEngine on SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
- Nginx: /<nginx-root>/conf/nginx.conf
ssl on; ssl_certificate /<nginx-root>/conf/certs/MYSITE.crt; ssl_certificate_key /<nginx-root>/conf/certs/MYSITE.key; ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;
- Test Config Syntax
- Apache
apachectl configtest
- Nginx
nginx -t
- Reload Config File (graceful restart)
- Apache
apachectl graceful
- Alternative
kill -SIGUSR1 <httpd-root-pid>
- Nginx
/<nginx-root>/sbin/nginx -s reload
- Verify new certs
openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not