Renewing my self signed certificates

Every day solutions to every day challenges. + Brilliant stuff

Moderators: b1o, jkerr82508

Forum rules
Please feel free to post your tip it does not have to be advanced. Also ask questions directly related to the tip here. But do not start new threads with questions or ask for help here. That is what the help section is for. forum rules: http://bjoernvold.com/forum/viewtopic.php?f=8&t=568
User avatar
viking60
Über-Berserk
Posts: 9284
Joined: 14 Mar 2010, 16:34

Renewing my self signed certificates

Postby viking60 » 29 Nov 2017, 11:38

I have to write this down...

I had set up my self signed certificates to get SSL for my (Centos 7) viking server.

After one year they did expire and now they had to be renewed and I will never remember howto do it so that is why I write it down here:

Step 1:
Find your certificates:

Code: Select all

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

This will come up with something like this:

Code: Select all

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/ca.crt
 SSLCertificateKeyFile /etc/pki/tls/private/ca.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt


Here we are interested in the SSLCertificateFile and SSLCertificateKeyFile directives (ca.crt and ca.key in this case).


Step 2
Check the permissions of the files:

Code: Select all

ls -lh /etc/pki/tls/certs/ca.crt

Code: Select all

ls -lh /etc/pki/tls/private/ca.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 3
Create the New Self-Signed Certificate and Key Files - as root:

Code: Select all

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/ca.crt -keyout /etc/pki/tls/private/ca.key

If you want your certificate to last longer than one year this would be the place to do it....

Step 4
Restart your server:

Code: Select all

sudo systemctl restart httpd


It's as easy as that
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
viking60
Über-Berserk
Posts: 9284
Joined: 14 Mar 2010, 16:34

Re: Renewing my self signed certificates

Postby viking60 » 29 Nov 2017, 11:57

So now you can check out https://viking60.no-ip.org/owncloud

...and you will get a lot of protests about untrusted because it is self signed or something like that.

This is because I do not pay the NSA cooperating certificate dudes - with gag orders - money.

If you ask me I am more trustworthy than them (Well I think so :-D )

ImageCommon name: viking60-no-ip.org
Organization: viking60.no-ip.org Org. Unit: viking60-no-ip.org
Location: NO
Valid from November 29, 2017 to August 25, 2020
Serial Number: 15708010913675866908 (0xd9fe10b38d9bf31c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: viking60-no-ip.org

This is up to you though and remember the site is way more secure with SSL than without it and plain http would give you no warning.

So press all the buttons to accept the certificate.

In FF it is under Advanced and add exception but different browsers have different complaints so you need to find the buttons and push them.

Regarding the backup of this board; you will get an error because the vanilla phpBB does not accept the Mysql database anymore.
That is a real problem and I am working on it.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"


Return to “Tips & Tricks”