SSL Help

leifjohnson · 2014-01-22T14:51:30.000Z

My head hurts!

I have inherited a web server It’s a centos box running Apache. I’m no expert with apache, nor was I told I needed to be, but for the most part I’m fine. Now it turns out that my predecessor hand several ssl certs for various sites, that he managed on the server. I had zero documentation for the server bar the password, and it was only when I received an email yesterday reminding me that my cert will expire soon that I knew it was a beast I needed to tackle.

Now I know very little about this and have yet to do it. I have gone though some instructions online but there not matching up with what I have in front of me.

So here’s were I’m at. I have renewed the the cert and was issued a domain.pem and a domain.csr file. I later received some instructions telling me to install the X.509 cert and the intermediate cert included in the email.

I have on my apache server found the virtual-host file for the domain in question. It contains the following SSL lines.

        SSLEngine On
        SSLCertificateFile /etc/httpd/conf/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl/mydomain.key
              SSLCertificateChainFile /etc/httpd/conf/ssl/RapidSSL_CA_bundle.pem

Now at this point I am just lost, what do I need to next? Thanks for any help.

j-seb · 2014-01-22T14:58:55.000Z

I haven’t done this in a long time but i remember using this as guideline.
Beside the ssl provider have some guideline as well on their website.

http://wiki.centos.org/HowTos/Https

alex3031 · 2014-01-22T15:49:56.000Z

If I am not mistake copy these files to the location specified in the configuration, in that location you should see the ones that are already pointed at. Next either rename the new files you received to match the names in the configration or modify the configuration to point att he new file. Then restart Apache that’s all there should be to it.

j-seb · 2014-01-22T15:52:14.000Z

Alex3031:

If I am not mistake copy these files to the location specified in the configuration, in that location you should see the ones that are already pointed at. Next either rename the new files you received to match the names in the configration or modify the configuration to point att he new file. Then restart Apache that’s all there should be to it.

That sums up the link i posted.

alex3031 · 2014-01-22T15:53:45.000Z

In this case, by the way, the RapidSSL pem file is the intermediate and of course the crt file is the x.509 cert. Key shouldn’t change as that should be unique to your server, the reason you create the CSR.

alex3031 · 2014-01-22T16:14:26.000Z

J-Seb:

Alex3031:

If I am not mistake copy these files to the location specified in the configuration, in that location you should see the ones that are already pointed at. Next either rename the new files you received to match the names in the configration or modify the configuration to point att he new file. Then restart Apache that’s all there should be to it.

That sums up the link i posted.

True, though I think it over complicated it a bit, in that it obviously adhered to some best practices that may not have been adhered to here as well, plus it covered a self signed certificate.

leifjohnson · 2014-01-22T16:35:10.000Z

Cheers Alex, that’s what I needed. I just wasn’t finding which cert for which size whole and as you say a lot of the info out there goes into a lot of detail, and just confused me more.

It’s about quitting time so I’ll try in the morning.

I’m dreading it, it’s the first time I’ll be restating anything on the web server. I had hoped to migrate everything off of it and onto new hardware and in the process a new setup that I knew the ins and outs of, before a situation like this arose.

leifjohnson · 2014-01-23T13:49:15.000Z

Right I’ve been hitting the books today. As I don’t recall at any point providing the csr when having the cert signed I imagine that the process on the site I used auto-generated a new csr file.

So if I understand it correctly the csr file I was asked to download will be the new one. They also asked me to download a pem file. When I look at it starts with -----BEGIN PRIVATE KEY------. So I guess this is the the new private key and the cert will of been signed with this in mind.

So I will need to replace the private key as well?

Do I just rename the pem file domain.key? Also the existing private key starts with -----BEGIN RSA PRIVATE KEY------ Is that going to be an issue?

I imagine tis like riding a bike. The first time is shaky but you never forget after that.

alex3031 · 2014-01-23T14:01:50.000Z

Something sounds awkward here the process should be you create a CSR request from your machine then they use that to generate the key file. But maybe since there is an intermediary authority it might be a bit different.

the pem file is the private key file, but I’m not sure it can be used that way.

Looking at your original post again it looks as though your recieved the private key and a CSR file which isn’t what you should have gotten unless you are generating the certs yourself.

Something seems wrong here, take a look at this page What is a CSR (Certificate Signing Request)?

You don’t actually have the certificates, or the key files, they still have to be generated, or did you get more files than you mentioned?

leifjohnson · 2014-01-23T14:33:19.000Z

I’ll bullet point the steps I took as everything I read talks about generating your own csr file as you say Alex.

I went to the site which was last used by my company, which was servertastic.com.
I checked my order history and determined the domain that was up for renewal.
I selected the renewal option, which just to choose my previous product from the buy section, which I then did.
I then went through the credit card stuff, and received a confirmation email.
This was then followed by another email, with a link to continue the order. Reading the email back it does contain the following "During the order process you can either supply your own CSR or use our system to auto-generate your CSR for you. If you opt for auto-generation then you MUST save a copy of your private key at the end of the process."
Now I must of opted for the generate option as I never gave CSR. I was then met with a screen saying that I must save the following information. Which was a domain.pem and the domain.csr file. I was then thanked and asked to provide an address relating to the domain for the CA to contact and that this could take up to 5 minutes.
I then received an email from sslorders@geotrust, asking me to confirm the order that I had placed. I followed the link and confirmed.
Finally I received another email from sslorders, containing a cert and an intermediate cert.

That pretty much sums up the process, having never done it before I had nothing to compare it to and thought it was all pretty standard.

alex3031 · 2014-01-23T14:44:59.000Z

OK, it looks like you now have a geotrust instead of RapisSSL certificate. So I’d point the chain cert to the new intermediate cert file and the cert to the new cert file you have. You could try and change the key file to point to the .pem file otherwise you need to use openssl at the command line to convert the pem to a key file. See this ssl - How to get .pem file from .key and .crt files? - Stack Overflow not the exact command you need (essentially the reverse) but basically pull in the pem file and output a key file. Then point the config to that.

leifjohnson · 2014-01-23T15:58:59.000Z

Alex, yet again I owe you one…

That was far to arse clenching, for something that ended up being so trivial. In the end I just copied and pasted the new certs and keys into the existing ones. I figured with the private key, as a .pem is a container for multiple keys and certs and they only had the one in it, it was safe to copy out.

I crossed my fingers and restarted httpd. It came back up fine and the new cert has applied fine.

I’ve certainly learnt a lot, as I thought it was like riding a bike. Now I’ve done it and I’ve got all the jargon, it will be a 2 minute job in the future.