Manual of how to update expired / invalid certificates
As you all know from Apache manual that certificates are basis of server authentication and security. You might have also encountered errors and (even problems) that System Administration course CA certificate expired on 1st of May 2018. As you are expected to configure secure Apache pages and services also in exam we created a separate page for you how to update certificates.
Lets create a separate folder for our new certificate
# mkdir /etc/ssl/caupdate# cd /etc/ssl/caupdate
Now lets use our old openssl.cnf as a preconfiguration for certificate creation (we created our custom openssl.cnf in Apache manual).
# cp /etc/ssl/cacert/openssl.cnf /etc/ssl/caupdate/openssl.cnf
Assisting default folders/files where we store needed stuff
# mkdir certs crl newcerts private# echo 01 > serial# touch index.txt
Lets change default fodler to new one in openssl.cnf
# nano openssl.cnfeditdirparameter to match our new folder
dir = /etc/ssl/caupdate
If you need your own custom CA you can create it with this command ... ( DO NOT execute it as teachers will give you precreated one)
openssl req -new -x509 -days 360 -keyout /etc/ssl/caupdate/private/cakey.pem -out /etc/ssl/caupdate/cacert.pem -config /etc/ssl/caupdate/openssl.cnf
Lets download new .est ca-certificates that Teachers create for you.
# cd /etc/ssl/caupdate- makes sure you are in right folder# wget -O private/cakey.pem http://www.ut.ee/~alop/cakey-est.pem- Download CA secret private key.# wget -O cacert.pem http://www.ut.ee/~alop/cacert-est.pem- Download CA public key
Let' generate the new private key first:
# openssl genrsa -out newkey.pem 4096
Now lets make certificate request for your domain
# openssl req -new -key newkey.pem -out newreq.pem -days 360 -config /etc/ssl/caupdate/openssl.cnf- Choose correct answers yourself.
Now you should sign a certificate with CA private key you downloaded earlier
# openssl ca -config /etc/ssl/caupdate/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem
It should ask for a CA private key password that would be casecurepass and 2 times Y to confirm signing process.
Copy newly created keys to proper folders and fix file permissions
# cp newcert.pem /etc/ssl/certs/server.crt# cp cacert.pem /etc/ssl/certs/cacert.crt# cp newkey.pem /etc/ssl/private/server.key# chgrp ssl-cert /etc/ssl/private/server.key# chmod g+r /etc/ssl/private/server.key# chmod a+r /etc/ssl/certs/server.crt# chmod a+r /etc/ssl/certs/cacert.crt
Copy certificates for nextcloud
# cp /etc/ssl/certs/server.crt /var/snap/nextcloud/current/certs/live/server.pem# cp /etc/ssl/private/server.key /var/snap/nextcloud/current/certs/live/server.key# cp /etc/ssl/certs/cacert.crt /var/snap/nextcloud/current/certs/live/cacert.pem
update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL certificates and generates certificates.crt
# update-ca-certificates --fresh- Restart
postfixserver - Restart
dovecotserver - Restart
Apacheserver - Restart
Nextcloudserver
- Import new CA public key to your web browser in you personal machine (laptop)
- Set your web browsers to trust our new CA certificate
- Check that Apache and Nextcloud now works without warning and is marked secure by Firefox and/or Apache!