septiembre 20, 2016

The certificate needs to be renewed; this can be doneusing the 'genkey' program

One of my web servers sent me this email this morning:
Subject: The certificate for ServerName.com has expired
################# SSL Certificate Warning ################
Certificate for hostname 'ServerName.com', in file (or by nickname): /etc/pki/tls/certs/server.crt
The certificate needs to be renewed; this can be done using the 'genkey' program.
Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
The only problem is that the server lied. 🙂 You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:
grep SSLCertificate /etc/httpd/conf.d/ssl.conf
You should get something like:
# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.
Next, take note of the permissions of those two files:
ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key
They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:
openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key
Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.
Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:
chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.
You’re done!


Pasos rápidos.
 ################# SSL Certificate Warning ################
  Certificate for hostname ' ', in file (or by nickname):
  The certificate needs to be renewed; this can be done
  using the 'genkey' program.
  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.
 ##########################################################
                                  Generated by certwatch(1)


# grep SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

# openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key
Responder las preguntas

# chmod 600 /etc/pki/tls/certs/localhost.crt
# chmod 600 /etc/pki/tls/private/localhost.key




Estos pasos funcionaron en Fedora 20  .fc20.x86_64

Fuente: http://www.stevejenkins.com/blog/2010/08/renewing-a-self-signed-ssl-certificate-on-fedoracentos/

No hay comentarios:

¿Cómo poner el conteo de las filas en una consulta en MySql?

 ¿Cómo poner el conteo de las filas en una consulta en MySql? SELECT  @rownum := @rownum + 1 AS contador,  /*Contador*/ t.*  /* nombre d...