Once every year, I need to update the SSL certificate for one my domains. Somehow, I’ve never written down the instructions until now:
Step 1: Initiate the Certificate Renewal
Start by purchasing a certificate renewal from the vendor. (I use Thawte.) They’ll send an email asking for purchase approval.
Step 2: Generate a Certificate Signing Request (CSR)
At the command line, navigate to the folder where certs and keys are stored. Mine is
/etc/pki/tls/, and contains folders
certs, misc, and private. In my setup, it also contains the
.conf file for
Type the following command:
sudo openssl genrsa -des3 -out private/your-keyname-here.key 2048
This creates a private key owned by root and stores it in the file,
Next, working from within the same folder as before, use this private key to create a CSR. Type:
sudo openssl req -new -key private/your-keyname-here.key -out your-keyname-here.csr
openssl process will now ask for certain details to be included in the CSR. When requested, do not enter an email address, challenge password or an optional company name. The process creates a CSR file owned by root and stores it in,
Step 3: Submit the CSR
Navigate to the certificate provider’s website, sign in, then submit the CSR for approval. On success, the provider will send download and installation instructions via email.
Step 4: Install the certificate
Follow the instructions in the email to download the certificate, unzip it, and move the contained files into the appropriate target directory or directories for your setup. My latest certificate included two files, namely,
IntermediateCA.crt. In my setup, both files went into the
/etc/pki/tls/certs/ folder. Make sure to be logged as root when creating these files, and set file permissions to 644.
For more details, visit this page.
Step 5: Update the SSL config file
Back at the command line, navigate to /etc/httpd/conf.d/ and open ssl.conf. Find the lines for the following settings:
SSLCertificateFile SSLCertificateKeyFile SSLCertificateChainFile
… and make sure they point to correct files and locations for each of these settings. My setup looks like this:
SSLCertificateFile /etc/pki/tls/certs/ssl_certificate.crt SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key SSLCertificateChainFile /etc/pki/tls/certs/IntermediateCA.crt
Step 6: Reboot the server
Follow the instructions in the earlier article, Rebooting the MSA Server on Digital Ocean, to restart the server.
Step 7: Verify success
Once the server is back up, verify the certificate is working properly using this testing tool.
@Note on passphrases for SSL certs: if you opt for a passphrase when creating a CSR, you’ll need to provide this passphrase each time the server is rebooted. This is okay for a stable environment but becomes a pain when server restarts are frequent.
I opted to remove the passphrase on my dev server using the instructions outlined here. However, my production server still requires the passphrase.