Renew expired self-signed SSL certificate

For some reason, it might be very difficult to find information on how to renew a self-signed certificate. This is a nice (and short) explanation:

Please note that a .pem file is in fact (as you can guess from the small guide) a combined .key and .crt.

In short and only for the purpose of not loosing this reference (as has happened many times before with sites referenced on this blog), here is the procedure (just adapt to your case, i.e. replace and all locality details with yours). The “Common name” requested by the openssl command is the domain name. Leave top level domain name without prefix for multiple domains certificates. Note that the filenames (, etc) do not have any importance apart that the extension (.pem, .key, .crt) might be helpful later on when wondering which file does what:

  # cd /etc/apache2/ssl
  # openssl genrsa -out 1024
  # chmod 600
  # openssl req -new -key -out
    Data Mining
    Kayon Toga
    (no challenge password)
  # openssl x509 -req -days 365 -in 
            -signkey -out
  # mv apache.pem apache.pem.old
  # cp apache.pem
  # cat >> apache.pem
  # chmod 600 apache.pem
  # service apache2 restart

If you are only replacing an old certificate, make sure you save the old file and generate the new files using the previous names. If you have several virtual hosts, this will save you a whole lot of time.


Related Posts

Ref: Minimum RSA public key lengths

Just a reference to an interesting article on SSL and guidelines for the...

Webalizer installation and use on Debian

This is a simple guide on how to install Webalizer on a Debian...