How to proceed SSL certificate renewal yearly

Jephe Wu - http://linuxtechres.blogspot.com

Updated on 26th May 2011

Objective: How to check and send CSR file to CA for SSL certificate renewal and install the updated SSL certificate on web server.
Environment: Apache SSL website, Linux server

Steps:

1. Prepare CSR file for SSL certificate renewal

If there's no existing CSR file, you can generate like this:

openssl req -new -key server.key -out server.csr

then view content of CSR file like this:

openssl req -noout -text -in server.csr

2.make sure the existing/generated CSR file matches with private key file as well as cert file, also the CN should be correct domain name

 openssl req -noout -modulus -in server.csr | openssl md5
 openssl rsa -noout -modulus -in server.key | openssl md5
 openssl x509 -notout -modulus -in server.crt | openssl md5


In addition, you can use 'stat server.key' or 'stat server.crt' command check the acces time to match the apache startup time(ps -efH) on Linux so that you can be sure which server.key or server.crt file is correct.

3. submit CSR file to CA for renewal

4. verify the CRT file from CA
 openssl x509 -noout -modulus -in server.crt | openssl md5

online check: http://www.sslshopper.com/certificate-decoder.html

5. Install it on the Linux Apache server and restart Apache
ps -efH to check the parent ID of Apache, then use 'kill -USR1 parent_pid' to re-read the new configuration so that apache will use new certificate file.

Note: what if you received a chain certificate also? Such as GeoTrust SSL CA issued certificate, it's parent CA is GeoTrust Global CA. Some IE browser doesn't have root CA buildin for GeoTrust SSL CA, Firewall 4.0 should have it.

What you need to do is to put the following into Apache ssl configuration file:

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
 
then run 'kill -USR1 parentid' to re-read configuration file.

6. verification after installing new cert
a. command line
on the server, use command 'openssl s_client -showcerts -connect jephe.domain.com:443' to check if the output is giving new cert

b. browser check
use IE or firefox to access website to check if the new certficate is put in the place(new expiry date)

c. online tools check
http://www.sslshopper.com/ssl-checker.html




References:

a. http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
b. www.sslshopper.com 
c. http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html

at 7/01/2010 12:35:00 AM

Labels: ,