Change certificates used by apache

A collection of tips on howto tweak your Bubba.
Post Reply
tor
Posts: 703
Joined: 06 Dec 2006, 12:24
Contact:

Change certificates used by apache

Post by tor » 06 Nov 2007, 05:13

If you want to change the certificates used by apache, the ones pointed out in the with SSLCertificateFile and SSLCertificateKeyFile in the config files. You can do as follow.

Code: Select all

openssl req -new -x509 -nodes -out my_cert.pem -keyout my_privkey.pem
And answer the questions Fx

If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Web
Common Name (eg, YOUR name) []:app1.my.dyndns.com
Email Address []:info@app1.my.dyndns.com

This will generate the two files:

my_cert.pem - the certificate
my_privkey.pem - the private key used

Update your apache config entries SSLCertificateFile and SSLCertificateKeyFile to point to these new files or replace the old files. Then reload apache.

Code: Select all

/etc/init.d/apache2 reload
An important note here. You can only have one certificate usable at a given time (Per IP number and port at least). So this must be the same as used in the main config, /etc/apache2/sites-available/bubba, if not bubbas original certificate will be used.

Rene
Posts: 1
Joined: 16 May 2008, 17:49

Certificates

Post by Rene » 17 May 2008, 10:27

Hello All

I created the two pem files..did an edit op the bubba file in the sub-map op SSL.. restarted apache.. but..instead of 3 ok's in the certificate reported bij IE ig got three problems reported...

What did i do wrong....

bjorn
Posts: 88
Joined: 03 Jan 2007, 09:02

Post by bjorn » 17 May 2008, 12:56

To get "3 ok" from IE your certificate must be:

1: Within it's validity dates.
2: Issued to the hostname for which it is accessed by.
3: Signed by a Certificate Authority you have chosen to trust.

However, the communication will be encrypted even if you get the "errors".

For example a certificate could be valid from 20080101 to 20090101, issued to bubba.mydomain.se and signed by my self. And after this i can import the public key of my CertificateAuthority certificate into my browser to pass all checks.

Good luck
/Bjorn

JanLarsen
Posts: 18
Joined: 18 Apr 2008, 17:11

Post by JanLarsen » 20 May 2008, 04:16

A little tip: if you want your certificate to be valid longer than 30 days use the -days <number of days> option.

For eksample:

Code: Select all

openssl req -new -x509 -nodes -out my_cert.pem -keyout my_privkey.pem -days 1000

Post Reply