This article is about replacing an existing self-signed SSL certificate.
In my case I have an Apache 2.2 server running on Fedora 14, pretty much default settings for a lot of stuff. My SSL certificate expired and I just needed to update it.
In my case I have the “ssl.conf” in:
|1.||Login to a terminal/ssl session on the box|
|2.||Stop Apache, in my case “/etc/init.d/httpd”. This is not strictly necessary but probably a good idea|
|3.||Move to the directory where you will keep the SSL certificates and keys. Mine are in the same directory as my “ssl.conf” file:
|4.||If you don’t have a key or want to recreate one run something similar to:
openssl genrsa -des3 -out zoyinc.com.key 1024
|5.||Apache needs a key without a passphrase otherwise it won’t start, instead waiting for you to enter the passphrase, at least that’s my recollection. I imagine there is a way around it but I just change it to remove the passphrase – not something I would do in a production environment but for home I am happy.To create a key without a passphrase run:
openssl rsa -in zoyinc.com.key -out zoyinc.com.nopassphrase.key rm zoyinc.com.key mv zoyinc.com.nopassphrase.key zoyinc.com.key
You will of course be prompted for the passphrase key.
|6.||Now to generate a certificate. Run something similar to:
openssl req -new -key zoyinc.com.key -x509 -days 1095 -out zoyinc.com.crt
You will be prompted for various details for the certificate:
A thing that doesn’t seem to get much press is that the “Common Name” can include a wild card. So I have used “*.zoyinc.com” so it will be considered valid for “www.zoyinc.com” and “dev.zoyinc.com”.
Obviously you may need to update your “ssl.conf” file if you change the name of key or certificate