This is an old revision of the document!
SSL Certificates
General Information
How to order and replace SSL certificates on popular Linux web servers.
Checklist
- Distro: Enterprise Linux 6
- Webserver: Apache or Nginx
Create Request
Creating a legit CSR or self-signed certificate.
CSR
Certificate Signing Requests (CSR) are created with openssl for new certificates. If you are renewing, this step can be skipped.
Generate a new CSR (Certificate Signing Request) and Private key
openssl req -new -newkey rsa:2048 -nodes -keyout MYSITE.key -out MYSITE.csr
Generate a new CSR and use an existing Private Key
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
Self-Signed Cert
If this is for home or testing purposes, a self-signed certificate is good enough.
Create Self-Signed Cert that is good for 1 year
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MYSITE.key -out MYSITE.crt
Order Certificate
This step can be skipped if you created a self-signed certificate.
- Visit a certificate authority; some popular ones are:
- Submit an order request
- The CA will need you to copy and paste the fingerprint of your CSR
- Once approved, you will be e-mailed the official signed SSL Certificate
Update Web Server
- Copy the received certificate to the web server
- Update web server's ssl config file
- Apache: /etc/httpd/conf.d/ssl.conf
SSLEngine on SSLCertificateFile /etc/httpd/conf/certs/MYSITE.crt SSLCertificateKeyFile /etc/httpd/conf/certs/MYSITE.key SSLCertificateChainFile /etc/httpd/conf/certs/MY-CA.crt
- Nginx: /<nginx-root>/conf/nginx.conf
ssl on; ssl_certificate /<nginx-root>/conf/certs/MYSITE.crt; ssl_certificate_key /<nginx-root>/conf/certs/MYSITE.key; ssl_client_certificate /<nginx-root>/conf/certs/MY-CA.crt;
- Test Config Syntax
- Apache
apachectl configtest
- Nginx
- Nginx will test for a valid config file when the master process receives the “reload” signal(in the next step). If it is valid, the new config will be used, if not, the old config continues to be used.
- Reload Config File (graceful restart)
- Apache
apachectl graceful
- Alternative
kill -SIGUSR1 <httpd-root-pid>
- Nginx
/<nginx-root>/sbin/nginx -s reload
- Verify new certs
openssl s_client -connect MYSITE:443 | openssl x509 -text | grep Not