Re-Generate SSL Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Re-Generate SSL Certificate

L1 Bithead

Hi, 

I'm in the process of hardening Expedetion (v 1.1.2) using the Expedition-Hardening-Guide.  Everything is going well, expect when I attempt to update the SSL certificate the changes do not seem to take effect.  I've even gone so far as to remove the old *snakeoil* files and replace them with new ones.  

 

Does anyone have advice on how to update to either a new self-signed certificate or trusted certificate?


Thanks,


1 accepted solution

Accepted Solutions

I just tried to run the 2 commands from the hardening guide and worked for me, Have you tried to use another browser to see if it gets the new certificate?

 

You can check in the config file if your apache is pointing to those certificates?

 

go to /etc/apache/sites-enabled 

 

and edit the file "default-ssl.conf and check for

 

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

 

Regards

View solution in original post

5 REPLIES 5

L7 Applicator

Probably you did but Have you restarted the apache daemon after the changes?

Thanks for the feedback.  Yes I restarted both the service and the VM, it didn't seem to have any impact. 

I just tried to run the 2 commands from the hardening guide and worked for me, Have you tried to use another browser to see if it gets the new certificate?

 

You can check in the config file if your apache is pointing to those certificates?

 

go to /etc/apache/sites-enabled 

 

and edit the file "default-ssl.conf and check for

 

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

 

Regards

Thanks, a different browser picked up the new cert. 

Appreciate it!

L0 Member

Let's create a new certificate for Expedition!

First we need to create a CSR to get signed by an external CA. Copy the stanza below and edit for your
Expeditions' settings. Save it as req.conf.


expedition@Expedition:~$ mkdir ssl && cd ssl
expedition@Expedition:~/ssl$ vi req.conf

 

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = OR
L = Portland
O = RiceCasa
OU = Tooling
CN = expedtion.example.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = expedition.example.com
DNS.2 = expedition
IP.1 = 10.1.0.34


With the req.conf configured, create the CSR:

expedition@Expedition:~/ssl$ openssl req -new -out expedition.csr -newkey rsa:2048 -nodes -sha256 -keyout expedition.key -config req.conf


Generating a 2048 bit RSA private key
..................................................+++
........+++
writing new private key to 'expedition.key'
-----


expedition@Expedition:~/ssl$ ls -l
total 20
drwxrwxr-x 2 expedition expedition 4096 Apr 1 11:49 ./
drwxr-xr-x 6 expedition expedition 4096 Apr 1 11:49 ../
-rw-rw-r-- 1 expedition expedition 1167 Apr 1 11:49 expedition.csr
-rw-rw-r-- 1 expedition expedition 1704 Apr 1 11:49 expedition.key
-rw-rw-r-- 1 expedition expedition 386 Apr 1 11:48 req.conf
expedition@Expedition:~/ssl$

 

Copy the content of the expedition.csr and submit it to your CA:
expedition@Expedition:~/ssl$ more expedition.csr
-----BEGIN CERTIFICATE REQUEST-----
..... removed .....
-----END CERTIFICATE REQUEST-----

 

Get that signed, and save the signed cert as expedition.crt

 

Change the permissions of the private key:
expedition@Expedition:~/ssl$ chmod 400 expedtion.key

 

Move the certs to the proper locations:
expedition@Expedition:~/ssl$ sudo mv expedition.key /etc/ssl/private/
expedition@Expedition:~/ssl$ sudo mv expedition.crt /etc/ssl/certs/

 

Edit Apache's config:
expedition@Expedition:~/ssl$ sudo vi /etc/apache2/sites-enabled/default-ssl.conf

 

Find these lines:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

 

Edit them to:
SSLCertificateFile /etc/ssl/certs/expedition.crt
SSLCertificateKeyFile /etc/ssl/private/expedition.key

 

Restart apache.
expedition@Expedition:~/ssl$ sudo service apache2 restart

  • 1 accepted solution
  • 8601 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!