linux_wiki:ssl_certificates

This is an old revision of the document!


SSL Certificates

General Information

How to order and replace SSL certificates on popular Linux web servers.

Checklist

  • Distro: Enterprise Linux 6
  • Webserver: Apache or Nginx

Creating a legit CSR or self-signed certificate.

Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.

Generate a new CSR (Certificate Signing Request) and Private key

openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr

Generate a new CSR and use an existing Private Key

openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr

If this is for home or testing purposes, a self-signed certificate is good enough.

Create Self-Signed Cert that is good for 1 year

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt

This step can be skipped if you created a self-signed certificate.

  • Visit a certificate authority; some popular ones are:
  • Submit an order request
    • The CA will need you to copy and paste the fingerprint of your CSR
  • Once approved, you will be e-mailed the official signed SSL Certificate

  • Copy the received certificate to the web server
  • Update web server's ssl config file
    • Apache: /etc/httpd/conf.d/ssl.conf
      • SSLEngine on
        SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt
        SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key
        SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
    • Nginx: /<nginx-root>/conf/nginx.conf
      • ssl  on;
        ssl_certificate      /<nginx-root>/conf/certs/MYSITE.crt;
        ssl_certificate_key  /<nginx-root>/conf/certs/MYSITE.key;
        ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;
  • Test Config Syntax
    • Apache
      • apachectl configtest
    • Nginx
      • Nginx will test for a valid config file when the master process receives the “reload” signal(in the next step). If it is valid, the new config will be used, if not, the old config continues to be used.
  • Reload Config File (graceful restart)
    • Apache
      • apachectl graceful
      • Alternative
        • kill -SIGUSR1 <httpd-root-pid>
    • Nginx
      • /<nginx-root>/sbin/nginx -s reload
  • Verify new certs
    • openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not
  • linux_wiki/ssl_certificates.1443933671.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)