I decided to write this post, as I spent some time researching this the last time I had to do it, so I figured I probably weren’t the only one out there who were kinda clueless on this.
Whether you need to install or update a certificate on an Apache instance, the process is largely the same. To sum it up you first have to create a certificate request (CSR), use the CSR during the ordering process at your favourite issuer, install it, and restart the daemon.
Create a key
If you don’t already have a keyfile you would like to use for your CSR, and later your certificate, you need to create one. This can be done with the command below. Follow the prompt to enter a passphrase, and reenter the passphrase to confirm it.
openssl genrsa -des3 -out ~/keyfile.key 2048Create certificate request
To create the CSR run the following command, note how I pass the path of the keyfile as parameter.
openssl req -new -key ~/keyfile.key -out ~/request.csrOrder your certificate online
Whether your favorite supplier is RapidSSL, DigiCert, Symantec (formerly VeriSign), Cloudflare or whatever, the process is largely the same. You choose the certificate type, and pass the content of the request.csr file, in order to receive your certificate.
Install your certificate
If you’re updating an existing certificate, you should be able to find the existing config lines with this command.
grep -i -r "SSLCert" /etc/httpd/Look for the following lines.
SSLCertificateFile /etc/pki/tls/certs/certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/keyfile.key
SSLCertificateChainFile /etc/pki/tls/certs/CertificateAuthority.crtIf you’re on the other hand configuring from scratch, you most likely won’t have those lines to look for, though you may have them as samples. But you should be able to locate your config file at the following path.
/etc/httpd/sites-enabled/00-sitenameAdd the lines noted above, and copy your certificate files and private key to the paths listed.
Restart httpd
That should be it, now all you have to do is issue a restart of the httpd with the command below.
sudo service httpd restartNow, you’ll notice that the daemon asks for the passphrase of the private key used for the certificate, and that’s no good. To remove the passphrase from the private key, run the command below.
openssl rsa -in ~/keyfile.key -out ~/keyfile_nopwd.keyNow you need to copy over the new private key to the destination noted in your config. Once done, try issuing another httpd restart. This time around is should just restart, without prompting for passphrase, and you’re golden.
Now grab a Miller, and kick back :-)