How to Update/Create Our Self-signed SSL Certificates

We use self-signed certificates for SSL. All certificates are signed by a master signing certificate which can be found at: http://meridian.tamucc.edu/cbi-ca.crt

OpenSSL has a certificate authority script for signing certificates which can be found at /etc/pki/tls/misc/CA on meridian

Instructions for signing certificates

1. cd /etc/pki/tls/misc/
2. Look to see if there is already a {servername}-req.pem file for the server you wish to create a new certificate for. E.g., lighthouse.tamucc.edu-req.pem. If a {servername}-req.pem file does not exist already, you will have to create a new certificate request and private key
3. The CA script generates the new certificate using the files newkey.pem and newreq.pem as input, so copy {servername}-req.pem to newreq.pem and {servername}-key.pem to newkey.pem (you should already have these if you just created a new request and key)
   1. cp lighthouse.tamucc.edu-key.pem newkey.pem
   2. cp lighthouse.tamucc.edu-req.pem newreq.pem
4. Sign the request:
   1. ./CA -sign
   2. Enter the certificate authority pass phrase
   3. Enter y to sign the certificate for 1 year and y again to commit
5. Copy newcert.pem to {servername}-cert.pem (e.g., lighthouse.tamucc.edu-cert.pem)
6. Copy {servername}-cert.pem and {servername}-key.pem to the appropriate location on that server - /etc/httpd/conf/ssl
7. Make sure the mode on {servername}-key.pem is 0600 (octal).
8. Restart apache - /etc/init.d/httpd restart
9. Stop! You're finished!

Create a new certificate request and private key

This is done on a per-host basis (this example assumes we are doing this for lighthouse) and only needs to be done once per host (i.e., not annually).

1. cd /etc/pki/tls/misc/
2. ./CA -newreq
3. Enter a pass phrase (doesn't matter what it is, we'll remove it later)
4. Verify pass phrase (type it again)
5. Enter info for Country, State, City, Org Name, and Unit Name (defaults should be set for CBI)
6. Enter server name (e.g., lighthouse.tamucc.edu)
7. Enter email (default of root@lighthouse.tamucc.edu should be fine)
8. no need to enter any extra attributes
9. Remove the pass phrase from the key
   1. mv newkey.pem newkey.pem.bak
   2. openssl rsa -in newkey.pem.bak -out newkey.pem
   3. rm newkey.pem.bak (we don't need the one with the pass phrase any more)
10. Copy the request and key to files named for the server they are for to keep them around for future use (see other requests and keys in /etc/pki/tls/misc/).
    1. cp newreq.pem lighthouse.tamucc.edu-req.pem
    2. cp newkey.pem lighthouse.tamucc.edu-key.pem
    3. Make sure any key files (newkey.pem, lighthouse.tamucc.edu-key.pem) are mode 0600.

The important CA stuff (which needs to be backed up) is:

• everything in /etc/pki/CA/
• /etc/pki/tls/openssl.cnf
• /etc/pki/tls/misc/*.pem

It's probably a good idea to back up everything in /etc/pki