Pivotal Knowledge Base

Follow

How to renew an expired Apache Web Server self-signed certificate using the OpenSSL tool

Environment

Pivotal Web Server

Purpose

This article discusses how to renew an expired Apache Web Server Self-Signed Certificate using the OpenSSL tool.

Use the steps in this article when you need to renew an expired SSL certificate using the OpenSSL tool. 

Procedure

  1. Check the expiration date of your Apache instancessl/testingcert.crt certificate by entering the following command
    > openssl x509 -in ssl/testingcert.crt -noout -enddate
    notAfter=Dec 30 11:10:42 2013 GMT
  2. Generate a new certificate signing request using the existing ssl/testingcert.key private key

    > openssl req -new -key ssl/testingcert.key -out ssl/new.csr

    If needed, generate a new 2048 bits RSA private key for encryption and signing

    > openssl genrsa -out ssl/testingcert.key 2048

    NOTE: Use the -des3 flag if you'd like to password-protect your private key. 

    Check your certificate signing request information

    > openssl req -in ssl/new.csr -noout -text
    Certificate Request:
    Data:
            Version: 0 (0x0)
             Subject: C=ca, ST=Some-State, O=Internet Widgits Pty Ltd
             Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                     Modulus (2048 bit):
                        00:c6:3d:60:21:ac:a8:82:36:8c:f0:1b:98:fb:24:
                        33:68:60:14:a0:c1:7d:be:8b:44:c3:81:02:ee:1d:
                        1e:d4:22:5a:6e:67:b4:ed:de:c4:b1:ba:ec:70:be:
              ...
  3. Generate a new certificate using the new certificate signing request. The new signing request is good for 1 year (365 days)
    > openssl x509 -req -days 365 -in ssl/new.csr -signkey ssl/testingcert.key -out ssl/new.crt
  4. Create a new.pem file from your ssl/testingcert.key key
    > cp ssl/testingcert.key ssl/new.pem
  5. Combine the certificate and key together by appending the ssl/new.crt contents to the ssl/new.pem file

    >  cat ssl/new.crt >> ssl/new.pem

    In your Apache SSL configuration file, replace the SSL lines with new.* certificate files or rename new SSL certificate files to match those in the configuration

  6. Verify and test the new certificate

    > openssl verify ssl/new.crt
    ssl/new.crt: /C=ca/ST=Some-State/O=Internet Widgits Pty Ltd
    error 18 at 0 depth lookup:self signed certificate
    OK

    Launch the server ssl/testingcert.pem listening on port 4567

    > openssl s_server -cert ssl/testingcert.pem -www -accept 4567

    Establish a SSL secured client connection and check the certificate request information

    >  openssl s_client -connect localhost:4567
    CONNECTED(00000003)
    depth=0 /C=ca/ST=Some-State/O=Internet Widgits Pty Ltd
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=ca/ST=Some-State/O=Internet Widgits Pty Ltd
    verify return:1
    ---
    Certificate chain
     0 s:/C=ca/ST=Some-State/O=Internet Widgits Pty Ltd
       i:/C=ca/ST=Some-State/O=Internet Widgits Pty Ltd
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDBjCCAe4CCQCK97sfGPDV5zANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJj
    YTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
    cyBQdHkgTHRkMB4XDTEyMTIzMTA2MjUxOVoXDTEzMTIzMTA2MjUxOVowRTELMAkG
    A1UEBhMCY2ExEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
    IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AMY9YCGsqII2jPAbmPskM2hgFKDBfb6LRMOBAu4dHtQiWm5ntO3exLG67HC+kVoH
    0J2HX+nnDi6bbsh244vh9KkpM9rgxkybAyOYYNnDZoiW+87DLxkAR041tX8Vl2yk
    ...

    If you are satisfied with the certificate information, you're ready to start the Apache Server instance using the new certificate.

Additional Information

OpenSSL Command-Line HOWTO 

 

Comments

Powered by Zendesk