How can I renew my Centos/Apache SSL certificate?

I got this question the other day from a Centos administrator: “The certwatch tool has been sending the me an email warning me that I need to renew the SSL Certificate. What do I do?”

The email message read like the following (names have been changed):

################# SSL Certificate Warning ################

Certificate for hostname 'www.yourlinuxguy.com', in file:
/etc/pki/tls/certs/www.yourlinuxguy.com.cert

The certificate needs to be renewed; this can be done
using the 'genkey' program.

Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.

##########################################################
Generated by certwatch(1)

The administrator had searched the Internet, and found mostly impolite messages from youngsters about reading the docs. Accurate, perhaps, but not too helpful.  This person’s server was not using a public Certificate Authority (CA); just a local one on the box itself (as is common practice in development environments).  If you don’t understand all that, it will make more sense as we go on…

First I want to clarify a couple things.  When you run the genkey tool, you are actually doing what the name suggests;  generating a new key pair (public/private), from which the certificate is formulated.  Technically, you are not *renewing* the certificate as the certwatch warning message implies, but that’s okay (it *is* possible in some situations to “renew” a certificate based on an existing key pair, but that’s not important right now). The genkey tool makes it so easy and convenient that it is just easier this way. Remember that a certificate is nothing but a public key that is “stamped” with approval by a CA.  In this case, the CA is you, too.  Not exactly a trusted hierarchy, but there you go…

So to cut to the chase, it’s really easy.  Here’s basically what you need to do:  1.) run the tool, and  2.) validate your SSL settings in your httpd.conf.

Run The Tool

At this point, you may or may not want to make a backup of your cert files…  This is up to you…  You can do that with something like this command (of course, your mileage may vary):

cp -av /etc/pki/tls /etc/pki/tls.bak

If you just run the genkey tool without specifying the certificate lifetime, it defaults to something like 30 days.  Let’s try something a little longer; like 4 years.  Now just specify your hostname on the command line:

genkey --days 1460 www.yourlinuxguy.com

…this will launch an interactive tool to do things like generate the random data, make the key pair, and walk you through specifying the content of the certificate (Country, Location, etc.).  It will place the new stuff in some default location, and at the end of the process, tell you where it all is.  You should take note of the location, but it will likely be what I mentioned above for the backup.

Validate Your SSL Settings

Now, theoretically, you should be able to restart your Apache daemon.  However, you might have used custom names or locations for your certificate files in the past, so you might want to check to be sure they match the SSL settings in your Apache config files.  Of course it’s hard for me to tell you where those settings are, since it’s so easy to customize Apache; but here’s a good way to find the two most important values:

cd /etc/httpd
egrep -R -e "SSLCertificateKeyFile" -e "SSLCertificateFile" *

…and that will likely return results from a file called “ssl.conf” or something like that.  Edit the config file if necessary; just make sure the values match the place that the genkey tool placed the new private key and cert file, and you should be good.

Now, you can restart Apache…

/etc/init.d/httpd restart

…and you’re done!  I hope that helps…

🙂

5 Comments

  1. Aditya

    Hi Nice article, I am managing 2 CentOS servers which hosts the company website. I am getting a mail like the one below

    Subject: The certificate for *.mycompany.com will expire in 17 days

    ################# SSL Certificate Warning ################

    Certificate for hostname ‘*.mycompany.com’, in file:
    /etc/httpd/ssl/server.crt

    The certificate needs to be renewed; this can be done
    using the ‘genkey’ program.

    Browsers will not be able to correctly connect to this
    web site using SSL until the certificate is renewed.

    ##########################################################
    Generated by certwatch(1)

    My comapny has a valid CA which is Digicert. Could you suggest whether i should use the “openssl” or “genkey” tool to renew the certificates.

    Thanks
    Aditya

  2. Jeremy Pavlov

    @Aditya

    Actually, whenever it comes to renewing public CA certs, I always try to follow their recommended methods. I know that is cheesy and perhaps obvious, but this way they can’t hassle me if part of the process fails for some reason. Just my rule of thumb. And for digicert, they have published a couple helpful docs to get you going…

    http://www.digicert.com/ssl-certificate-renewal.htm

    But, depending on the circumstances, you might not need to do anything but re-certify your old CSR via their website. I’m not sure about digicert, and I certainly don’t speak for them… But why not call them or send a message. I’m sure they’ll be glad to help.

    Good luck!
    -Jeremy

  3. David Annett

    When I run keygen as suggested I get an error “You already have a key file for this host in file: /etc/pki/tls/private/localhost.key” so I guess I will need to “rm -rf /etc/pki/tls” but I’m unsure why a quick Google search suggest no one else, except me, needs to take this step.

  4. Liron Cohen

    This will be smart to check you certificate CN before with

    openssl x509 -in certificate.crt -text -noout

    (Source: https://www.sslshopper.com/article-most-common-openssl-commands.html?jn554906de)

    Thus you won’t make mistake with the hostname you use.

  5. Jeremy Pavlov

    @ Liron Cohen –

    Great tip, thanks!

    -Jeremy

Leave a Comment

Your email address will not be published. Required fields are marked *