{"id":822,"date":"2013-02-08T22:35:22","date_gmt":"2013-02-08T09:35:22","guid":{"rendered":"http:\/\/www.zoyinc.com\/?p=822"},"modified":"2013-09-29T19:48:21","modified_gmt":"2013-09-29T06:48:21","slug":"adding-an-ssl-certificate-to-apache","status":"publish","type":"post","link":"http:\/\/www.zoyinc.com\/?p=822","title":{"rendered":"Adding an SSL certificate to Apache"},"content":{"rendered":"

This article is about replacing an existing self-signed SSL certificate.<\/p>\n

In my case I have an Apache 2.2 server running on Fedora 14, pretty much default settings for a lot of stuff. My SSL certificate expired and I just needed to update it.<\/p>\n

In my case I have the “ssl.conf” in:<\/p>\n

\/etc\/httpd\/conf.d\/ssh.conf<\/p>\n

Steps<\/h2>\n\n\n\n\n\n\n\n\n\n
1.<\/td>\nLogin to a terminal\/ssl session on the box<\/td>\n<\/tr>\n
2.<\/td>\nStop Apache, in my case “\/etc\/init.d\/httpd”. This is not strictly necessary but probably a good idea<\/td>\n<\/tr>\n
3.<\/td>\nMove to the directory where you will keep the SSL certificates and keys. Mine are in the same directory as my “ssl.conf” file:<\/p>\n
cd \/etc\/httpd\/conf.d<\/pre>\n<\/td>\n<\/tr>\n
4.<\/td>\nIf you don’t have a key or want to recreate one run something similar to:<\/p>\n
openssl genrsa -des3 -out zoyinc.com.key 1024<\/pre>\n
    \n
  • In this case the key name is obviously “zoyinc.com.key”.<\/li>\n
  • You will be asked for a “passphrase”, which is like a password to the key, so give it a key and note down what it is.<\/li>\n
  • You should find a key file called “zoyinc.com.key” created in the same directory.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
5.<\/td>\nApache needs a key without a passphrase otherwise it won’t start, instead waiting for you to enter the passphrase, at least that’s my recollection. I imagine there is a way around it but I just change it to remove the passphrase – not something I would do in a production environment but for home I am happy.To create a key without a passphrase run:<\/p>\n
openssl rsa -in zoyinc.com.key -out zoyinc.com.nopassphrase.key\r\nrm zoyinc.com.key\r\nmv zoyinc.com.nopassphrase.key zoyinc.com.key<\/pre>\n
You will of course be prompted for the passphrase key.<\/td>\n<\/tr>\n
6.<\/td>\nNow to generate a certificate. Run something similar to:<\/p>\n
openssl req -new -key zoyinc.com.key -x509 -days 1095 -out zoyinc.com.crt<\/pre>\n
    \n
  • Obviously the key needs to match the key you created earlier or a pre-existing.<\/li>\n
  • The “-days 1095” is how long the certificate should last before expiring. It is important to note the default is only one month. In this case I have set it for 1095 days which is 3 years.<\/li>\n<\/ul>\n
    You will be prompted for various details for the certificate:<\/p>\n
      \n
    1. Country Name – This is a two letter country code, in my case NZ<\/li>\n
    2. State or Province Name – Optional<\/li>\n
    3. Locality Name – Optional but usually city name<\/li>\n
    4. Organization Name – Typically company name<\/li>\n
    5. Organizational Unit Name – department within company, I put “Support”<\/li>\n
    6. Common Name – This is important and is the name of your site, say “www.zoyinc.com”<\/li>\n
    7. Email Address – Email address for people to contact you. This is public info so you may want to be careful what address you use.<\/li>\n<\/ol>\n
      A thing that doesn’t seem to get much press is that the “Common Name” can include a wild card. So I have used “*.zoyinc.com” so it will be considered valid for “www.zoyinc.com” and “dev.zoyinc.com”.<\/td>\n<\/tr>\n
7.<\/td>\nRestart Apache<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Obviously you may need to update your “ssl.conf” file if you change the name of key or certificate<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

This article is about replacing an existing self-signed SSL certificate. In my case I have an Apache 2.2 server running on Fedora 14, pretty much default settings for a lot of stuff. My SSL certificate expired and I just needed to update it. In my case I have the “ssl.conf” in: \/etc\/httpd\/conf.d\/ssh.conf Steps 1. Login […]<\/p>\n","protected":false},"author":2,"featured_media":848,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[85],"tags":[305,88,87,86],"class_list":["post-822","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apache","tag-apache","tag-certificate","tag-https","tag-ssl"],"_links":{"self":[{"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/posts\/822","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=822"}],"version-history":[{"count":26,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/posts\/822\/revisions"}],"predecessor-version":[{"id":1637,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/posts\/822\/revisions\/1637"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=\/wp\/v2\/media\/848"}],"wp:attachment":[{"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=822"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=822"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.zoyinc.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}