Renew expired self-signed SSL certificate

For some reason, it might be very difficult to find information on how to renew a self-signed certificate. This is a nice (and short) explanation:

Please note that a .pem file is in fact (as you can guess from the small guide) a combined .key and .crt.

In short and only for the purpose of not loosing this reference (as has happened many times before with sites referenced on this blog), here is the procedure (just adapt to your case, i.e. replace and all locality details with yours). The “Common name” requested by the openssl command is the domain name. Leave top level domain name without prefix for multiple domains certificates. Note that the filenames (, etc) do not have any importance apart that the extension (.pem, .key, .crt) might be helpful later on when wondering which file does what:

  # cd /etc/apache2/ssl
  # openssl genrsa -out 1024
  # chmod 600
  # openssl req -new -key -out
    Data Mining
    Kayon Toga
    (no challenge password)
  # openssl x509 -req -days 365 -in 
            -signkey -out
  # mv apache.pem apache.pem.old
  # cp apache.pem
  # cat >> apache.pem
  # chmod 600 apache.pem
  # service apache2 restart

If you are only replacing an old certificate, make sure you save the old file and generate the new files using the previous names. If you have several virtual hosts, this will save you a whole lot of time.


It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on TumblrEmail this to someone
Posted in:

Leave a Reply

Your email address will not be published. Required fields are marked *