{"id":547,"date":"2010-04-19T01:14:03","date_gmt":"2010-04-19T06:14:03","guid":{"rendered":"http:\/\/yourLinuxGuy.com\/?p=547"},"modified":"2010-04-24T07:43:11","modified_gmt":"2010-04-24T12:43:11","slug":"how-can-i-renew-my-centosapache-ssl-certificate","status":"publish","type":"post","link":"https:\/\/yourLinuxGuy.com\/?p=547","title":{"rendered":"How can I renew my Centos\/Apache SSL certificate?"},"content":{"rendered":"<p>I got this question the other day from a Centos administrator: &#8220;<em>The <code>certwatch<\/code> tool has been sending the me an email warning me that I need to renew the SSL Certificate. What do I do<\/em>?&#8221;<\/p>\n<p>The email message read like the following (names have been changed):<\/p>\n<p><code>################# SSL Certificate Warning ################<\/code><\/p>\n<p><code>Certificate for hostname 'www.yourlinuxguy.com', in file:<br \/>\n\/etc\/pki\/tls\/certs\/www.yourlinuxguy.com.cert<br \/>\n<\/code><br \/>\n<code>The certificate needs to be renewed; this can be done<br \/>\nusing the 'genkey' program.<\/code><\/p>\n<p><code>Browsers will not be able to correctly connect to this<br \/>\nweb site using SSL until the certificate is renewed.<br \/>\n<\/code><br \/>\n<code>##########################################################<br \/>\nGenerated by certwatch(1)<\/code><\/p>\n<p>The administrator had searched the Internet, and found mostly impolite\u00a0messages from youngsters about reading the docs.  Accurate, perhaps, but not too helpful.\u00a0 This person&#8217;s server was not using a public Certificate Authority (CA); just a local one on the box itself (as is common practice in development environments).\u00a0 If you don&#8217;t understand all that, it will make more sense as we go on&#8230;<\/p>\n<p>First I want to clarify a couple things.\u00a0 When you run the <code>genkey<\/code> tool, you are actually doing what the name suggests;\u00a0 generating a new key pair (public\/private), from which the certificate is formulated.\u00a0 Technically, you are not *renewing* the certificate as the <code>certwatch<\/code> warning message implies, but that&#8217;s okay (it *is* possible in some situations to &#8220;renew&#8221; a certificate based on an existing key pair, but that&#8217;s not important right now).  The <code>genkey<\/code> tool makes it so easy and convenient that it is just easier this way.  Remember that a certificate is nothing but a public key that is &#8220;stamped&#8221; with approval by a CA.\u00a0 In this case, the CA is you, too.\u00a0 Not exactly a trusted hierarchy, but there you go&#8230;<\/p>\n<p>So to cut to the chase, it&#8217;s really easy.\u00a0 Here&#8217;s basically what you need to do:\u00a0 1.) run the tool, and\u00a0 2.) validate your SSL settings in your <code>httpd.conf<\/code>.<\/p>\n<p><strong>Run The Tool<\/strong><\/p>\n<p>At this point, you may or may not want to make a backup of your cert files&#8230;\u00a0 This is up to you&#8230;\u00a0 You can do that with something like this command (of course, your mileage may vary):<\/p>\n<p><code>cp -av \/etc\/pki\/tls \/etc\/pki\/tls.bak<\/code><\/p>\n<p>If you just run the <code>genkey<\/code> tool without specifying the certificate lifetime, it defaults to something like 30 days.\u00a0 Let&#8217;s try something a little longer; like 4 years.\u00a0 Now just specify your hostname on the command line:<\/p>\n<p><code>genkey --days 1460 www.yourlinuxguy.com<\/code><\/p>\n<p>&#8230;this will launch an interactive tool to do things like generate the random data, make the key pair, and walk you through specifying the content of the certificate (Country, Location, etc.).\u00a0 It will place the new stuff in some default location, and at the end of the process, tell you where it all is.\u00a0 You should take note of the location, but it will likely be what I mentioned above for the backup.<\/p>\n<p><strong>Validate Your SSL Settings<\/strong><\/p>\n<p>Now, theoretically, you should be able to restart your Apache daemon.\u00a0 However, you might have used custom names or locations for your certificate files in the past, so you might want to check to be sure they match the SSL settings in your Apache config files.\u00a0 Of course it&#8217;s hard for me to tell you where those settings are, since it&#8217;s so easy to customize Apache; but here&#8217;s a good way to find the two most important values:<\/p>\n<p><code>cd \/etc\/httpd<br \/>\negrep -R -e \"SSLCertificateKeyFile\" -e \"SSLCertificateFile\" *<\/code><\/p>\n<p>&#8230;and that will likely return results from a file called &#8220;<code>ssl.conf<\/code>&#8221; or something like that.\u00a0 Edit the config file if necessary;  just make sure the values match the place that the <code>genkey<\/code> tool placed the new private key and cert file, and you should be good.<\/p>\n<p>Now, you can restart Apache&#8230;<\/p>\n<p><code>\/etc\/init.d\/httpd restart<\/code><\/p>\n<p>&#8230;and you&#8217;re done!\u00a0 I hope that helps&#8230;<\/p>\n<p>\ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I got this question the other day from a Centos administrator: &#8220;The certwatch tool has been sending the me an email warning me that I need to renew the SSL Certificate. What do I do?&#8221; The email message read like&#8230;<br \/><a class=\"read-more-button\" href=\"https:\/\/yourLinuxGuy.com\/?p=547\">Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,54,11,45],"tags":[],"class_list":["post-547","post","type-post","status-publish","format-standard","hentry","category-apache","category-centos","category-intermediate","category-openssl"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pnjn1-8P","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=547"}],"version-history":[{"count":8,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/547\/revisions"}],"predecessor-version":[{"id":555,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/547\/revisions\/555"}],"wp:attachment":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}