Renew expired self-signed SSL certificate

For some reason, it might be very difficult to find information on how to renew a self-signed certificate. This is a nice (and short) explanation: http://linux.togaware.com/survivor/Renew_SSL.html.

Please note that a .pem file is in fact (as you can guess from the small guide) a combined .key and .crt.

In short and only for the purpose of not loosing this reference (as has happened many times before with sites referenced on this blog), here is the procedure (just adapt to your case, i.e. replace togaware.com and all locality details with yours). The “Common name” requested by the openssl command is the domain name. Leave top level domain name without prefix for multiple domains certificates. Note that the filenames (togaware.com.key, etc) do not have any importance apart that the extension (.pem, .key, .crt) might be helpful later on when wondering which file does what:

  # cd /etc/apache2/ssl
  # openssl genrsa -out togaware.com.key 1024
  # chmod 600 togaware.com.key
  # openssl req -new -key togaware.com.key -out togaware.com.csr
    AU
    ACT
    Canberra
    Togaware
    Data Mining
    Kayon Toga
    Kayon.Toga@togaware.com
    (no challenge password)
  # openssl x509 -req -days 365 -in togaware.com.csr 
            -signkey togaware.com.key -out togaware.com.crt
  # mv apache.pem apache.pem.old
  # cp togaware.com.key apache.pem
  # cat togaware.com.crt >> apache.pem
  # chmod 600 apache.pem
  # service apache2 restart

If you are only replacing an old certificate, make sure you save the old file and generate the new files using the previous names. If you have several virtual hosts, this will save you a whole lot of time.

 

It's only fair to share...Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Tumblr
Tumblr
Email this to someone
email
Posted in:

Leave a Reply

Your email address will not be published. Required fields are marked *