Re-Generate SSL Certificate

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re-Generate SSL Certificate

L1 Bithead


I'm in the process of hardening Expedetion (v 1.1.2) using the Expedition-Hardening-Guide.  Everything is going well, expect when I attempt to update the SSL certificate the changes do not seem to take effect.  I've even gone so far as to remove the old *snakeoil* files and replace them with new ones.  


Does anyone have advice on how to update to either a new self-signed certificate or trusted certificate?



L0 Member

Let's create a new certificate for Expedition!

First we need to create a CSR to get signed by an external CA. Copy the stanza below and edit for your
Expeditions' settings. Save it as req.conf.

expedition@Expedition:~$ mkdir ssl && cd ssl
expedition@Expedition:~/ssl$ vi req.conf


distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C = US
L = Portland
O = RiceCasa
OU = Tooling
CN =
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 =
DNS.2 = expedition
IP.1 =

With the req.conf configured, create the CSR:

expedition@Expedition:~/ssl$ openssl req -new -out expedition.csr -newkey rsa:2048 -nodes -sha256 -keyout expedition.key -config req.conf

Generating a 2048 bit RSA private key
writing new private key to 'expedition.key'

expedition@Expedition:~/ssl$ ls -l
total 20
drwxrwxr-x 2 expedition expedition 4096 Apr 1 11:49 ./
drwxr-xr-x 6 expedition expedition 4096 Apr 1 11:49 ../
-rw-rw-r-- 1 expedition expedition 1167 Apr 1 11:49 expedition.csr
-rw-rw-r-- 1 expedition expedition 1704 Apr 1 11:49 expedition.key
-rw-rw-r-- 1 expedition expedition 386 Apr 1 11:48 req.conf


Copy the content of the expedition.csr and submit it to your CA:
expedition@Expedition:~/ssl$ more expedition.csr
..... removed .....


Get that signed, and save the signed cert as expedition.crt


Change the permissions of the private key:
expedition@Expedition:~/ssl$ chmod 400 expedtion.key


Move the certs to the proper locations:
expedition@Expedition:~/ssl$ sudo mv expedition.key /etc/ssl/private/
expedition@Expedition:~/ssl$ sudo mv expedition.crt /etc/ssl/certs/


Edit Apache's config:
expedition@Expedition:~/ssl$ sudo vi /etc/apache2/sites-enabled/default-ssl.conf


Find these lines:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key


Edit them to:
SSLCertificateFile /etc/ssl/certs/expedition.crt
SSLCertificateKeyFile /etc/ssl/private/expedition.key


Restart apache.
expedition@Expedition:~/ssl$ sudo service apache2 restart

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!