28 diciembre, 2024

One of my web servers sent me this email this morning:

Subject: The certificate for ServerName.com has expired
################# SSL Certificate Warning ################
Certificate for hostname 'ServerName.com', in file (or by nickname): /etc/pki/tls/certs/server.crt
The certificate needs to be renewed; this can be done using the 'genkey' program.
Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)

The only problem is that the server lied. 🙂
You can use the ‘genkey’ program to renew an SSL certificate if your
certificate is signed by a CA (Certificate Authority), but if you’re
using a self-signed certificate (like me), then genkey won’t work. The
quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at
least a year since you tinkered with it. The warning email told you the
path of your certificate file, but you should also verify the filenames,
locations, and the directives of your web server’s SSL configuration by
doing:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

You should get something like:

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You’re interested in the SSLCertificateFile and SSLCertificateKeyFile
directives. This example uses server.crt and server.key as the names of
the certificate files. Yours may be different. Just replace them as
necessary in the following instructions.
Next, take note of the permissions of those two files:

ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key

They are owned by root and can only be read and written to by root
(permission 600). Your new files will need the same permissions when
you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Answer the questions as they are presented to create your new
certificate files, starting with the two-letter country code and ending
with your email address. If you make a mistake, don’t worry. Just re-run
the command and it will overwrite the files.
Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:

chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.
You’re done!

Pasos rápidos.
 ################# SSL Certificate Warning ################
  Certificate for hostname ‘ ‘, in file (or by nickname):
  The certificate needs to be renewed; this can be done
  using the ‘genkey’ program.
  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.
 ##########################################################
                                  Generated by certwatch(1)

# grep SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

# openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key
Responder las preguntas

# chmod 600 /etc/pki/tls/certs/localhost.crt
# chmod 600 /etc/pki/tls/private/localhost.key

Estos pasos funcionaron en Fedora 20  .fc20.x86_64

Fuente: http://www.stevejenkins.com/blog/2010/08/renewing-a-self-signed-ssl-certificate-on-fedoracentos/

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *