Skip to content

httpd cert renew⚓︎

Overview⚓︎

PKI certificate renewal on RHEL 7/8 based systems should utilize /etc/pki/tls, allowing for easy certificate updates.

Steps⚓︎

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# audit httpd config for private and public key locations
grep -r "^SSLCertificate" /etc/httpd/

# cd to tls dir where keys should be stored
cd /etc/pki/tls

# obtain the file name for the openssl config
ls private/*.cnf

# create the private key and certificate signing request
# update file names based on grep above for 'out' and 'keyout' as required
openssl req -out private/<server>.csr -newkey rsa:2048 -nodes -keyout private/<server>.key -config private/*.cnf

# obtain the csr for usage in trust.csu.org for signing
cat private/*.csr

# submit the CSR to the signing CA and obtain the signed certificate in base64 format

# update the public key file with the signed certificate
vim certs/<server>.crt
# paste base64 content of signed certificate

# restart httpd to load new files, reload will not be enough
service httpd restart

Example OpenSSL Config⚓︎

INI
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = <Country>
ST = <State>
L = <City>
O = <Company>
OU = <Organization Unit>
emailAddress = <Email Address>
CN = <Common Name>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = <Subject Alternate Name>
DNS.2 = <Subject Alt Name>

References⚓︎