It is that time of the year when I needed to renew all of my SSL certificates for my web servers and email servers. This post is a reminder for myself on the steps and commands needed to succesfully renew the certificates, for future reference.
First, check the current certificates and key files. For CentOS 6, this is located at /etc/pki/tls/private and /etc/pki/tls/certs.
[root@localhost ~]# cd /etc/pki/tls/private [root@localhost private]# ls -lart -rw-------. 1 root root 1704 Feb 19 2014 localhost.key -rw-r--r--. 1 root root 1033 Feb 20 2014 localhost.csr drwxr-xr-x. 5 root root 4096 Jan 29 15:33 .. drwxr-xr-x. 2 root root 4096 Feb 16 09:06 . [root@localhost private]# cd ../certs [root@localhost certs]# ls -lart -rw-r--r--. 1 root root 1805 Feb 20 2014 localhost.crt -rw-r--r--. 1 root root 1757 Feb 20 2014 localhost-chain.crt -rw-r--r--. 1 root root 1521 Feb 20 2014 localhost-root.crt -rw-r--r--. 1 root root 5083 Feb 20 2014 localhost-postfix.crt -rw-r--r--. 1 root root 1005005 Jul 14 2014 ca-bundle.trust.crt -rw-r--r--. 1 root root 786601 Jul 14 2014 ca-bundle.crt -rwxr-xr-x. 1 root root 829 Jan 21 01:32 renew-dummy-cert -rw-r--r--. 1 root root 2242 Jan 21 01:32 Makefile -rwxr-xr-x. 1 root root 610 Jan 21 01:32 make-dummy-cert drwxr-xr-x. 5 root root 4096 Jan 29 15:33 .. drwxr-xr-x. 2 root root 4096 Feb 16 09:09 .
Next create the new certificate signing request (CSR). Take this chance to create a new private key, with perhaps a higher number of bits and a better algorithm. This is done using the -newkey, -sha256, and -keyout flags. The -nodes flag is used to create the new private key without a passphrase (so that the services using the private key can start without needing input from a human).
[root@localhost ~]# cd /etc/pki/tls/private/ [root@localhost private]# openssl req -nodes -newkey rsa:4096 -sha256 -keyout localhost-new.key -out localhost-new.csr Generating a 4096 bit RSA private key ................................................++ ......................++ writing new private key to 'localhost-new.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:MY State or Province Name (full name) []:Kuala Lumpur Locality Name (eg, city) [Default City]:Kuala Lumpur Organization Name (eg, company) [Default Company Ltd]:hazrulnizam.com Organizational Unit Name (eg, section) []:localhost Common Name (eg, your name or your server's hostname) []:localhost.hazrulnizam.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost private]# ls -lart -rw-------. 1 root root 1704 Feb 19 2014 localhost.key -rw-r--r--. 1 root root 1033 Feb 20 2014 localhost.csr drwxr-xr-x. 5 root root 4096 Jan 29 15:33 .. -rw-r--r--. 1 root root 3272 Feb 16 10:05 localhost-new.key -rw-r--r--. 1 root root 1748 Feb 16 10:05 localhost-new.csr drwxr-xr-x. 2 root root 4096 Feb 16 10:05 .
Send the CSR file (localhost-new.csr) to the certificate authority, and wait for them to issue the certificate for your new key. Put the certificate files (including the CA root and chain) in the /etc/pki/tls/certs directory. Do not overwrite the old certificates yet! I named them localhost-new.crt, localhost-chain-new.crt and localhost-root-new.crt
Now we need to stop all the services using the old certificates.
[root@localhost ~]# service httpd stop Stopping httpd: [ OK ] [root@localhost ~]# service dovecot stop Stopping Dovecot Imap: [ OK ] [root@localhost ~]# service postfix stop Shutting down postfix: [ OK ]
Now rename the old certificates for backup.
[root@localhost ~]# cd /etc/pki/tls/certs [root@localhost certs]# mv localhost.crt localhost-old.crt [root@localhost certs]# mv localhost-chain.crt localhost-chain-old.crt [root@localhost certs]# mv localhost-root.crt localhost-root-old.crt [root@localhost certs]# mv localhost-postfix.crt localhost-postfix-old.crt
Then it is time to rename the new certificates to take the old certificates’ names.
[root@localhost certs]# mv localhost-new.crt localhost.crt [root@localhost certs]# mv localhost-chain-new.crt localhost-chain.crt [root@localhost certs]# mv localhost-root-new.crt localhost-root.crt
For postfix, all the root, chain and host certificates need to be in one file. Create that file, taking the old file name.
[root@localhost certs]# cat localhost.crt >> localhost-postfix.crt [root@localhost certs]# cat localhost-chain.crt >> localhost-postfix.crt [root@localhost certs]# cat localhost-root.crt >> localhost-postfix.crt
Start all the services that was stopped.
[root@localhost ~]# service postfix start Starting postfix: [ OK ] [root@localhost ~]# service dovecot start Starting Dovecot Imap: [ OK ] [root@localhost ~]# service httpd start Starting httpd: [ OK ]
If everything is done correctly, this should be the end of the exercise. Test all the services and make sure everything is working as before.