Renewing a Self-Signed SSL Certificate on Fedora/CentOS 16


One of my web servers sent me this email this morning:

Subject: The certificate for ServerName.com has expired
################# SSL Certificate Warning ################
Certificate for hostname 'ServerName.com', in file (or by nickname): /etc/pki/tls/certs/server.crt
The certificate needs to be renewed; this can be done using the 'genkey' program.
Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)

The only problem is that the server lied. 🙂 You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

You should get something like:

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.

Next, take note of the permissions of those two files:

ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.

Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:

chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.

You’re done!