My ongoing experiences with Ubuntu, and later Mythbuntu, as a media center with MythTV. I'm also using the system for a virtual machine server, a mediawiki server and a general all around home infrastructure base.

Saturday, January 31, 2009

Regenerating Apache SSL certificate for 10 years

I noticed the SSL certificate I had previously generated for Apache had expired, so I set about generating a new one. This time I wanted to generate a really long-lived (10 year) certificate so I didn't have to deal with this again in a year.

I started by cleaning out the old certificate (you'll get an error later if you don't do this):
# rm /etc/apache2/ssl/*
Now I edited the Openssl configuration file to bump the lifetime to 10 years (3650 days):

# cp /usr/share/ssl-cert/ssleay.cnf /usr/share/ssl-cert/ssleay.cnf.orig
# vi /usr/share/ssl-cert/ssleay.cnf
# diff -c /usr/share/ssl-cert/ssleay.cnf /usr/share/ssl-cert/ssleay.cnf.orig
*** /usr/share/ssl-cert/ssleay.cnf 2009-01-31 13:37:24.000000000 -0600
--- /usr/share/ssl-cert/ssleay.cnf.orig 2009-01-31 13:36:58.000000000 -0600
***************
*** 7,13 ****
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
- default_days = 3650
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
--- 7,12 ----
Now I went ahead and generated the new certificate. The hostname was already filled in, so I just had to hit return at the only prompt.

# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Finally I took a peak at the generated certificate to make sure it had the 10 year lifetime. Looking at the "Not Before" and "Not After" fields in the output below shows the lifetime.
# openssl x509 -noout -text -in /etc/apache2/ssl/apache.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
9e:cd:82:bd:cb:03:19:d7
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=your.hostname.here
Validity
Not Before: Jan 31 19:37:42 2009 GMT
Not After : Jan 29 19:37:42 2019 GMT
Subject: CN=your.hostname.here
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:5a:c0:c9:d0:d8:e7:d9:69:ac:04:74:13:4f:
62:d5:7d:70:4f:47:60:a1:42:d7:26:6f:e1:ff:11:
fc:94:e7:70:6c:48:b7:46:87:62:14:81:91:59:f2:
43:d0:1c:76:5f:27:47:6a:f0:d6:e3:8d:2b:5f:9c:
53:56:12:56:cc:a4:0e:62:2c:a5:16:0a:e6:72:11:
a2:ea:89:a1:3c:82:9d:02:d8:01:4a:e3:25:b7:5f:
47:4b:bc:7a:98:ba:57:f0:15:17:74:fd:e5:8d:6a:
fd:cc:37:b2:a0:08:e8:a9:35:9b:2a:1a:9e:75:b1:
7d:dd:69:a4:ca:87:a4:ac:33
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
1a:e9:96:fb:02:c5:86:fa:4d:3b:84:3e:fb:88:b9:db:00:fe:
a7:89:15:bb:a0:af:72:13:2f:d3:0e:a5:ff:59:00:cb:ca:67:
e6:6e:3c:24:92:9b:0d:2d:d5:46:77:7d:a3:7f:68:b3:7d:d7:
38:09:bb:48:e9:96:17:ba:02:e4:59:48:06:66:9a:ee:9b:bc:
64:6e:c9:ea:da:57:18:f7:bb:21:b1:61:38:1a:3a:31:4c:0f:
f0:b5:6c:05:8f:4b:30:76:bb:68:b0:f2:a7:8e:ae:07:c5:7e:
16:f5:86:78:4f:2a:b0:b7:fe:21:be:a9:79:ee:89:6d:07:4a:
68:a9

No comments: