Created
April 9, 2014 16:42
-
-
Save mikepj/10290415 to your computer and use it in GitHub Desktop.
Generating a new self-signed CSR and SSL certificates on Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# These are the commands I ran to regenerate a self-signed CSR and SSL certificate on a Ubuntu | |
# server after the heartbleed SSL vulnerability was discovered. This should be done after you | |
# have upgraded OpenSSL. I ran the following as root. | |
cd /etc/ssl/private | |
# Generate a password protected key for the CSR. | |
openssl genrsa -des3 -out server-20140409.key 1024 | |
# Next use the password protected key to create a non-password protected key, so you | |
# don't have to type the password every time you start Apache. | |
openssl rsa -in server-20140409.key -out server-20140409.key.insecure | |
# Swap the key files around. | |
mv server-20140409.key server-20140409.key.secure | |
mv server-20140409.key.insecure server-20140409.key | |
# Create the CSR using the non password protected key. Fill in appropriate values | |
# when prompted. Use the server DNS name for the Common Name field. Leave the | |
# challenge password field blank. | |
openssl req -new -key server-20140409.key -out server-20140409.csr | |
# Now create the server certificate. In this example, the cert will expire in 1 year. | |
openssl x509 -req -days 365 -in server-20140409.csr -signkey server-20140409.key -out server-20140409.crt | |
# Move the certificate to the correct directory. | |
mv server-20140409.crt ../certs/ | |
# Switch to your Apache configuration directory, and use the new key. Here are the | |
# values that should be used for the SSL configuration directives. | |
# SSLCertificateFile /etc/ssl/certs/server-20140409.crt | |
# SSLCertificateKeyFile /etc/ssl/private/server-20140409.key | |
# The grep command will give you an idea of where you are configuring SSL key files. | |
cd /etc/apache2/ | |
grep -r SSLCertificate sites-available | |
# Restart apache. | |
service apache2 restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment