mikepj/update_ssl.txt

## update_ssl.txt
# These are the commands I ran to regenerate a self-signed CSR and SSL certificate on a Ubuntu
# server after the heartbleed SSL vulnerability was discovered.  This should be done after you
# have upgraded OpenSSL.  I ran the following as root.

cd /etc/ssl/private

# Generate a password protected key for the CSR.
openssl genrsa -des3 -out server-20140409.key 1024

# Next use the password protected key to create a non-password protected key, so you
# don't have to type the password every time you start Apache.
openssl rsa -in server-20140409.key -out server-20140409.key.insecure

# Swap the key files around.
mv server-20140409.key server-20140409.key.secure
mv server-20140409.key.insecure server-20140409.key

# Create the CSR using the non password protected key.  Fill in appropriate values
# when prompted.  Use the server DNS name for the Common Name field.  Leave the
# challenge password field blank.
openssl req -new -key server-20140409.key -out server-20140409.csr

# Now create the server certificate.  In this example, the cert will expire in 1 year.
openssl x509 -req -days 365 -in server-20140409.csr -signkey server-20140409.key -out server-20140409.crt

# Move the certificate to the correct directory.
mv server-20140409.crt ../certs/

# Switch to your Apache configuration directory, and use the new key.  Here are the
# values that should be used for the SSL configuration directives.
#   SSLCertificateFile  /etc/ssl/certs/server-20140409.crt
#   SSLCertificateKeyFile   /etc/ssl/private/server-20140409.key
# The grep command will give you an idea of where you are configuring SSL key files.
cd /etc/apache2/
grep -r SSLCertificate sites-available

# Restart apache.
service apache2 restart
	# These are the commands I ran to regenerate a self-signed CSR and SSL certificate on a Ubuntu
	# server after the heartbleed SSL vulnerability was discovered. This should be done after you
	# have upgraded OpenSSL. I ran the following as root.

	cd /etc/ssl/private

	# Generate a password protected key for the CSR.
	openssl genrsa -des3 -out server-20140409.key 1024

	# Next use the password protected key to create a non-password protected key, so you
	# don't have to type the password every time you start Apache.
	openssl rsa -in server-20140409.key -out server-20140409.key.insecure

	# Swap the key files around.
	mv server-20140409.key server-20140409.key.secure
	mv server-20140409.key.insecure server-20140409.key

	# Create the CSR using the non password protected key. Fill in appropriate values
	# when prompted. Use the server DNS name for the Common Name field. Leave the
	# challenge password field blank.
	openssl req -new -key server-20140409.key -out server-20140409.csr

	# Now create the server certificate. In this example, the cert will expire in 1 year.
	openssl x509 -req -days 365 -in server-20140409.csr -signkey server-20140409.key -out server-20140409.crt

	# Move the certificate to the correct directory.
	mv server-20140409.crt ../certs/

	# Switch to your Apache configuration directory, and use the new key. Here are the
	# values that should be used for the SSL configuration directives.
	# SSLCertificateFile /etc/ssl/certs/server-20140409.crt
	# SSLCertificateKeyFile /etc/ssl/private/server-20140409.key
	# The grep command will give you an idea of where you are configuring SSL key files.
	cd /etc/apache2/
	grep -r SSLCertificate sites-available

	# Restart apache.
	service apache2 restart