Creating / renewing SSL Cert

Generate the new key

root@vimes:/etc/ssl# openssl genrsa -aes256 -out ./private/star.kumari.net-20110723.key 2048
 Generating RSA private key, 2048 bit long modulus
 ......................................................................................................+++
 .................................................................................................+++
 e is 65537 (0x10001)
 Enter pass phrase for ./private/star.kumari.net-20110723.key:
 Verifying - Enter pass phrase for ./private/star.kumari.net-20110723.key:

Get the info from the old CSR

 root@vimes:/etc/ssl# openssl req -in star.kumari.net.csr -noout -text
 Certificate Request:
   Data:
       Version: 0 (0x0)
       Subject: C=US, ST=Virginia, L=Sterling, O=Warren Kumari, OU=Warren Kumari, CN=*.kumari.net/emailAddress=warrenkumari.net
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:a1:a1:f4:8a:50:e3:71:ee:4e:d2:3d:51:97:2c:
                   [SNIP]
94:e9:1f:e7:07:e1:90:1e:ab Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 71:b5:82:16:4f:7e:c9:f8:e9:3e:55:fe:86:d9:b9:e9:13:a2: [SNIP]
23:7d:1f:68:38:5d:ca:12:f9:1e:44:3c:e4:47:a5:be:09:ac: 0b:6b

Now generate a new CSR

 root@vimes:/etc/ssl# openssl req -new -key ./private/star.kumari.net-20110723.key -out star.kumari.net-20110723.csr
 Enter pass phrase for ./private/star.kumari.net-20110723.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [US]:
 State or Province Name (full name) [Virginia]:
 Locality Name (eg, city) [Sterling]:
 Organization Name (eg, company) [Warren Kumari]:
 Organizational Unit Name (eg, section) [Warren Kumari]:
 Common Name (eg, YOUR name) [Warren Kumari]:*.kumari.net
 Email Address [warren.at.kumari.net]:
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 root@vimes:/etc/ssl# ls
 certs  openssl.cnf  private  star.kumari.net-20110723.csr  star.kumari.net.csr  wildcard.kumari.net.csr  www.kumari.net_godaddy.csr

And provide the CSR to the CA

 root@vimes:/etc/ssl# more star.kumari.net-20110723.csr 
 -----BEGIN CERTIFICATE REQUEST-----
 MIIC4jCCAcoCAQAwgZwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTER
 MA8GA1UEBxMIU3RlcmxpbmcxFjAUBgNVBAoTDVdhcnJlbiBLdW1hcmkxFjAUBgNV
 [SNIP]
 e+WZXl16+MwNDk0tBQsOn2Z0ppC60O42wouMOIMJD904WS/72/NbDsxVmkmfig/Y
 UqrjcdnOXYfkzOfitv2TWlMwW7WtGQ==
 -----END CERTIFICATE REQUEST-----

 

Installing / using the new certificate

If you end up with a certificate that needs an intermediate certificate, there are a few options.

Apache

Apache knows how to deal with these using the SSLCACertificateFile option.

       # We want SSL for this site.
       SSLEngine On
       # Cert and key locations
       SSLCertificateFile /etc/ssl/certs/star.kumari.net-20110723.crt
       # Intermediate cert.
       SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA_bundle.pem
       # And the key...
       SSLCertificateKeyFile /etc/ssl/private/star.kumari.net-20110723.key

Postfix (and others)

Some software doesn't understand handing out intermediate CA certificates, but this can sometimes be worked around by putting both the certificate and the intermediate cert in one file.

Create the combined pem file:

  $ cat star.kumari.net-20110723.pem RapidSSL_CA_bundle.pem > star.kumari.net-20110723-bundle.pem 

Now tell Postfix about it:

 # TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/star.kumari.net-20110723-bundle.pem 
 smtpd_tls_key_file=/etc/ssl/private/star.kumari.net-20110723.key
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

Additional information