Renewing a Self-Signed SSL Certificate on Fedora/CentOS 17


One of my web servers sent me this email this morning:

Subject: The certificate for ServerName.com has expired
################# SSL Certificate Warning ################
Certificate for hostname 'ServerName.com', in file (or by nickname): /etc/pki/tls/certs/server.crt
The certificate needs to be renewed; this can be done using the 'genkey' program.
Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)

The only problem is that the server lied. 🙂 You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

You should get something like:

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.

Next, take note of the permissions of those two files:

ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.

Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:

chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.

You’re done!

  • sid

    Type service httpd restart to restart your web server and tell it to use the new certificate files.

    — How do i tell my server to use new certificate files?

    • @Sid: Restarting httpd DOES tell your server to use the new cert files. 🙂

  • sid

    That was fast. Thanks a lot. Need to get this done next week during the regular monthly patch updates. Thanks!

  • Sandra

    Thank you so much for that. Couldn’t find the solution articulated in such a straightforward way anywhere else. Brilliant.

  • thanks much appreciated !

  • This worked OK for me. Thanks for the instructions.

    Some comments:

    In my particular CentOS installation the files were not named with the same extensions as in the example. My server.key actually had a .pem extension, so I had to do a little housecleaning before everything would work right.

    Please also note that the command in question creates TWO files in TWO directories, which may not be immediately obvious to the first-timer:

    In

    /etc/pki/tls/certs

    the file

    server.crt

    AND

    In

    /etc/pki/tls/private

    the file

    server.key

    Both of which need to be properly referenced in

    /etc/httpd/conf.d/ssl.conf

    —-
    Graham Leach

  • Excellent! The RedHat docs aren’t nearly as helpful; this really solved my problem for me. Thank you very much! Note that I combined what you explained with a modification of the make-dummy-cert script that comes with the openssl package. In case anyone else would like to see it, the script is:

    #!/bin/sh
    umask 077

    answers() {
    echo US
    echo Massachusetts
    echo Wellesley
    echo Wellesley College
    echo Computer Science Department
    echo cs.wellesley.edu
    echo cs-sysadmin@wellesley.edu
    }

    name=”localhost”
    key=”/etc/pki/tls/private/$name.key”
    crt=”/etc/pki/tls/certs/$name.crt”
    answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $key -nodes -x509 -days 365 -out $crt 2> /dev/null

    ls -l $key $crt
    apachectl graceful

  • felipem

    Thanks, nice tutorial

  • pipex

    perfect! It’s simple 😉

  • Pingback: My Laberecke | SSL Certificate Warning()

  • It didn’t work for me. I changed some options to openssl command so it can work on centos 5.9.

    openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/server.key -out /etc/pki/tls/certs/server.crt

  • Pingback: Обновление самоподписного SSL-сертификата на Centos | Записки системного администратора()

  • Great job, thank you so much Steve! In the mood of Jean, your instructions in order to make the .crt and .key doesn’t work for me. After I saw the Jean’s comment, I check in Digital Ocean’s Community an article by Etel Sverdlov -she is great too 😉

  • Brandon Wood

    For Step 2 I had to change the command by adding ‘-newkey’ in front of ‘rsa:2048’, otherwise it failed to run on my Fedora install: openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

  • Pingback: Install an SSL Certificate on a Ubiquiti EdgeMAX EdgeRouter()

  • Pingback: Renew a self signed SSL-Certificate on CentOS - steffr.ch()