renew https server certificate

Print Friendly, PDF & Email

We use a self-signed https certificate for our server, and they expire every year or so. When they do, and you visit a page using https, you see something like:

The site's security certificate is not trusted!
The site’s security certificate is not trusted!

So, we have to renew or re-create the certificate. I think I succeeded in writing a script to do this, namely “server-certificate” (poor name), which is a wrapper for genkey.wc, which is a wellesley modification of an older genkey script from RedHat. But, apparently, that’s obsolete, and the genkey.wc script doesn’t run.

I found the following: https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Renewing_Certificates.html. It seems to be on the right topic, but it’s incomprehensible to me. That page describes a choice between “re-generate” and “re-create,” and I think we want “re-generate.”

Ack, this makes no sense. I googled for various things like “RHEL 6 renew https certificate” and got nowhere.  Eventually, I stumbled on http://superuser.com/questions/622434/can-self-signed-ssl-certificate-be-renewed-how which explained that you can’t renew a self-signed certificate, so I just need to create a new one, and I might as well give it a long expiration time.  That may be easier.

Boy, it’s hard to find RHEL 6 documentation. Eventually, I found the following: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.html#s2-apache-mod_ssl which seems to be trying to explain how to create SSL certificates for Apache.

The first substantive step I did was to install crypto-utils:

yum install crypto-utils

Aha! That installs the “genkey” command! Oh, but they’ve really changed the script:

[root@tempest tls] diff -bB /usr/bin/genkey /root/bin/genkey.wc | wc
 1008 4500 31119
[root@tempest tls]

Oh well. Let’s just follow the instructions and not try to script this, yet.

genkey cs.wellesley.edu

That starts a GUI that prompts for the various pieces of information:

1. It informs me that the key  will be stored in

/etc/pki/tls/private/cs.wellesley.edu

and the certificate will be stored in

/etc/pki/tls/certs/cs.wellesley.edu.crt

2. I chose the default 1024-bit key size. It then starts generating the keys, but it needs to collect some randomness, and, wow, that takes a long time. I think it’s been 5 minutes or more, and it’s only 75% done.

3. I said “no” to whether I want to send a certificate request (CSR) to a certificate authority (CA). That means I’ll get a self-signed certificate.

4. I skipped having a passphrase, to make it easier for apache to start up at boot time (or whatever) without having to give a passphrase.

5. Finally, I get to put in the data about our server:

Country Name: US
State or Province: Massachusetts
Locality: Wellesley
Organization Name: Wellesley College
Organizational Unit: Computer Science Department
Common Name:  cs.wellesley.edu

That finishes the job and the program exited.

Next, I restarted the web server:

apachectl graceful

and re-tried the https connection. Hmm. No luck.

I ran /etc/cron.daily/certwatch and it generated an email saying that the certificate had expired and explicitly said the certificate was in /etc/pki/tls/certs/localhost.crt. So if I just alias (via ln) the localhost files to the cs.wellesley.edu files, that should work:

cd /etc/pki/tls/certs/
[root@tempest certs] pwd
/etc/pki/tls/certs
[root@tempest certs] mv localhost.crt localhost.crt.old
[root@tempest certs] ln cs.wellesley.edu.crt localhost.crt
[root@tempest certs] cd ../private/
[root@tempest private] ls -l *.key
-r--------. 1 root root 937 Jan 26 18:44 cs.wellesley.edu.key
-rw-------. 1 root root 887 Aug 15 2012 localhost.key
[root@tempest private] mv localhost.key localhost.key.old
[root@tempest private] ln cs.wellesley.edu.key localhost.key
[root@tempest private] apachectl graceful
[root@tempest private]

And re-try the web connection…. In Chrome, I still get all kinds of warnings, with no good way to say “add exception” but it *is* using the new certificate. Firefox is much better, allowing me to add an exception. However, the new certificate expires in one month!  (2/26/2014).  What the heck?!

More googling and frustration. Aha, I found this excellent post where all the steps seem to make a lot of sense: http://stevejenkins.com/blog/2010/08/renewing-a-self-signed-ssl-certificate-on-fedoracentos/ 

Furthermore, I found a nice script that fits well with that blog post, called make-dummy-cert, which is in the openssl package.

So, let’s first follow step 1 of Steve’s blog post:

[root@tempest certs] grep SSLCertificate /etc/httpd/conf.d/00_ssl.conf
# Point SSLCertificateFile at a PEM encoded certificate. If
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Point SSLCertificateChainFile at a file containing the
# the referenced file can be the same as SSLCertificateFile
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
[root@tempest certs]

Okay, so that’s why I have to use “localhost” and not cs.wellesley.edu; fine. Let’s check the permissions, as Steve suggests:

[root@tempest certs] ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
-rw-rw----. 2 root root 995 Jan 26 18:44 /etc/pki/tls/certs/localhost.crt
-r--------. 2 root root 937 Jan 26 18:44 /etc/pki/tls/private/localhost.key
[root@tempest certs]

Okay, I can tighten those a bit.

Now, I’m going to modify step three, to put a wrapper around the openssl command, so that I don’t have to retype all that stuff each time. I based this wrapper on /etc/pki/tls/certs/make-dummy-cert.  I’m going to copy that to /home/sysadmin/fixes and put the derivative script, make-wellesley-cert in the same directory.

I made some modifications to that script, reducing the number of bits to 1024 (per RedHat’s recommendations) and hard-coding the site info and filename locations. Here’s the finished script:

#!/bin/sh
umask 077

answers() {
 echo US
 echo Massachusetts
 echo Wellesley
 echo Wellesley College
 echo Computer Science Department
 echo cs.wellesley.edu
 echo cs-sysadmin@wellesley.edu
}

name="localhost"
key="/etc/pki/tls/private/$name.key"
crt="/etc/pki/tls/certs/$name.crt"
answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $key -nodes -x509 -days 365 -out $crt 2> /dev/null

ls -l $key $crt
apachectl graceful

Okay, that seems to have worked. Woo-hoo! Thank you, Steve Jenkins!

About CS SysAdmins

The CS Department System Administrators
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *