< back

Everything you never wanted to know about SSL certificates and Linux

Determining where the old cert is stored (apache)

$ cd /etc/httpd

$ cat conf/ | grep -ve "^#\|^$" | grep -i ssl

Look for SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile

Reading Certificates

Reading a private key

$ openssl rsa -in mykey.crt -check

Reading an unsigned public csr

$ openssl req -text -noout -verify -in myreq.csr

Reading a signed public certificate

$ openssl x509 -in mypub.crt -text -noout

Creating a new cert with a new private key

$ cp /etc/pki/tls /etc/pki/tls.old

$ cd /etc/pki/tls

$ openssl req -out myreq.csr -new -newkey rsa:4096 -nodes -keyout mykey.crt

$ cat myreq.csr

Insert into incommon provisioning website.

Renewing a cert with a existing private key

$ cp /etc/pki/tls /etc/pki/tls.old $ cd /etc/pki/tls $ openssl x509 -out myreq.csr -signkey mykey.crt $ cat myreq.csr

Insert into incommon provisioning website.

Renewing a cert with a existing public/private key pair $ cp /etc/pki/tls /etc/pki/tls.old $ cd /etc/pki/tls $ openssl x509 -x509toreq -in certificate.crt -out myreq.csr -signkey mykey.crt $ cat myreq.csr

Insert into incommon provisioning website.

Installing new cert into the system

Download the signed certificate from InCommon for this tutorial known as mypub.crt

Download the certificate chain from InCommon for this tutorial known as mypub_interm.crt

$ cp ~/mypub_interm.crt /etc/pki/tls/certs/server-chain.crt $ cp ~/mypub.crt /etc/pki/tls/certs/localhost.crt $ cd /etc/pki/tls $ cp mykey.crt private/localhost.key $ /etc/init.d/httpd graceful