Page 1 of 1

Renewing my self signed certificates

Posted: 29 Nov 2017, 11:38
by viking60
I have to write this down...

I had set up my self signed certificates to get SSL for my (Centos 7) viking server.

After one year they did expire and now they had to be renewed and I will never remember howto do it so that is why I write it down here:

Step 1:
Find your certificates:

Code: Select all

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

This will come up with something like this:

Code: Select all

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/ca.crt
 SSLCertificateKeyFile /etc/pki/tls/private/ca.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Here we are interested in the SSLCertificateFile and SSLCertificateKeyFile directives (ca.crt and ca.key in this case).

Step 2
Check the permissions of the files:

Code: Select all

ls -lh /etc/pki/tls/certs/ca.crt

Code: Select all

ls -lh /etc/pki/tls/private/ca.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 3
Create the New Self-Signed Certificate and Key Files - as root:

Code: Select all

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/ca.crt -keyout /etc/pki/tls/private/ca.key

If you want your certificate to last longer than one year this would be the place to do it....

Step 4
Restart your server:

Code: Select all

sudo systemctl restart httpd

It's as easy as that

Re: Renewing my self signed certificates

Posted: 29 Nov 2017, 11:57
by viking60
So now you can check out

...and you will get a lot of protests about untrusted because it is self signed or something like that.

This is because I do not pay the NSA cooperating certificate dudes - with gag orders - money.

If you ask me I am more trustworthy than them (Well I think so :-D )

ImageCommon name:
Organization: Org. Unit:
Location: NO
Valid from November 29, 2017 to August 25, 2020
Serial Number: 15708010913675866908 (0xd9fe10b38d9bf31c)
Signature Algorithm: sha256WithRSAEncryption

This is up to you though and remember the site is way more secure with SSL than without it and plain http would give you no warning.

So press all the buttons to accept the certificate.

In FF it is under Advanced and add exception but different browsers have different complaints so you need to find the buttons and push them.

Regarding the backup of this board; you will get an error because the vanilla phpBB does not accept the Mysql database anymore.
That is a real problem and I am working on it.