topic Re: Re-Generate SSL Certificate in Expedition Discussions

Re-Generate SSL Certificate

LCMember2274 — Mon, 07 Jan 2019 13:57:48 GMT

Hi,

I'm in the process of hardening Expedetion (v 1.1.2) using the Expedition-Hardening-Guide. Everything is going well, expect when I attempt to update the SSL certificate the changes do not seem to take effect. I've even gone so far as to remove the old *snakeoil* files and replace them with new ones.

Does anyone have advice on how to update to either a new self-signed certificate or trusted certificate?

Thanks,

Re: Re-Generate SSL Certificate

alestevez — Wed, 09 Jan 2019 12:04:12 GMT

Probably you did but Have you restarted the apache daemon after the changes?

Re: Re-Generate SSL Certificate

LCMember2274 — Wed, 09 Jan 2019 12:16:09 GMT

Thanks for the feedback. Yes I restarted both the service and the VM, it didn't seem to have any impact.

Re: Re-Generate SSL Certificate

alestevez — Wed, 09 Jan 2019 12:44:37 GMT

I just tried to run the 2 commands from the hardening guide and worked for me, Have you tried to use another browser to see if it gets the new certificate?

You can check in the config file if your apache is pointing to those certificates?

go to /etc/apache/sites-enabled

and edit the file "default-ssl.conf and check for

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Regards

Re: Re-Generate SSL Certificate

LCMember2274 — Wed, 09 Jan 2019 13:10:31 GMT

Thanks, a different browser picked up the new cert.

Appreciate it!

Re: Re-Generate SSL Certificate

trice — Thu, 01 Apr 2021 17:34:51 GMT

Let's create a new certificate for Expedition!

First we need to create a CSR to get signed by an external CA. Copy the stanza below and edit for your
Expeditions' settings. Save it as req.conf.

expedition@Expedition:~$ mkdir ssl && cd ssl
expedition@Expedition:~/ssl$ vi req.conf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = OR
L = Portland
O = RiceCasa
OU = Tooling
CN = expedtion.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = expedition.example.com
DNS.2 = expedition
IP.1 = 10.1.0.34

With the req.conf configured, create the CSR:

expedition@Expedition:~/ssl$ openssl req -new -out expedition.csr -newkey rsa:2048 -nodes -sha256 -keyout expedition.key -config req.conf

Generating a 2048 bit RSA private key
..................................................+++
........+++
writing new private key to 'expedition.key'
-----

expedition@Expedition:~/ssl$ ls -l
total 20
drwxrwxr-x 2 expedition expedition 4096 Apr 1 11:49 ./
drwxr-xr-x 6 expedition expedition 4096 Apr 1 11:49 ../
-rw-rw-r-- 1 expedition expedition 1167 Apr 1 11:49 expedition.csr
-rw-rw-r-- 1 expedition expedition 1704 Apr 1 11:49 expedition.key
-rw-rw-r-- 1 expedition expedition 386 Apr 1 11:48 req.conf
expedition@Expedition:~/ssl$

Copy the content of the expedition.csr and submit it to your CA:
expedition@Expedition:~/ssl$ more expedition.csr
-----BEGIN CERTIFICATE REQUEST-----
..... removed .....
-----END CERTIFICATE REQUEST-----

Get that signed, and save the signed cert as expedition.crt

Change the permissions of the private key:
expedition@Expedition:~/ssl$ chmod 400 expedtion.key

Move the certs to the proper locations:
expedition@Expedition:~/ssl$ sudo mv expedition.key /etc/ssl/private/
expedition@Expedition:~/ssl$ sudo mv expedition.crt /etc/ssl/certs/

Edit Apache's config:
expedition@Expedition:~/ssl$ sudo vi /etc/apache2/sites-enabled/default-ssl.conf

Find these lines:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Edit them to:
SSLCertificateFile /etc/ssl/certs/expedition.crt
SSLCertificateKeyFile /etc/ssl/private/expedition.key

Restart apache.
expedition@Expedition:~/ssl$ sudo service apache2 restart