Thursday, February 27, 2014

How-to import the SSL Certificate (renewal SSL Cert)

Hello, everyone!

I stuck in SSL certification for almost a week until I found the solution how to import the SSL key. Below is my solution.

My background
  • OS : Linux RedHat 6.2
  • Web Server : Apache OpenSSL, Apache Tomcat
  • This is renewal.

For CSR generation, I will not mention much at here because it is just a command and key in the information of your organization. Anyway, this is the brief steps.

1. Create the new key
# openssl genrsa -des3 -out <key_name.key> 2048

2. Generate CSR file
# openssl req -new -key <key_name.key> -out <csr_name.csr>

3. Remove passphrase
# cp -p <key_name.key> <key_name.key.org>
# openssl rsa -in <key_name.key.org> -out <key_name.key>

4. After I send the CSR file to verify, they will send the download URL for me to get the new SSL certification. I will get 3 files totally :-
- certificate file (sslcert.crt)
- certificate chain file (ca.crt)
- certificate root file (root.crt)

Then, I grab all above 3 files and <key_name.key> into a tar file, upload to the server which I want to renewal the SSL certificate.

5. Backup your old certificate files. (tar or copy to the new filename, or any method you preferred)

6.1 Apache OpenSSL
Check the below variables and put the new certificate files into the same path and name.
- SSLCertificateFile (sslcert.crt)
- SSLCertificateKeyFile (key_name.key)
- SSLCertificateChainFile (ca.crt)
The config file is located at <apache_home>/conf/httpd.conf or <apache_home>/conf/extra/httpd-ssl.conf

6.2 Apache Tomcat
6.2.1 Generate new CA file
# cat ca.crt root.crt > chainCA.crt

6.2.2 Generate new PKCS12 file
# openssl pkcs12 -export -in <sslcert.crt> -inkey <key_name.key> -out <p12_name.p12> -CAfile <chainCA.crt> -caname root -chain

Enter the correct passphrase.

6.2.3 Put the newly created PKCS12 key file into the path which in the config file
Configuration file is located at <apacheTomcat_home>/conf/server.xml

7. Restart your web server
7.1 Apache OpenSSL
# <apache_home>/bin/apachectl restart
7.2 Apache Tomcat
# /etc/init.d/tomcat restart or service tomcat restart

8. Verify your certificate on the web browser.

All is done!

Hope this article may be useful for anyone. ^^

Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)