Home / server / Questions / 30679
Accepted
Christian
Asked: 2009-06-24 15:42:04 +0800 CST

SSL Certificate installation issue on ubuntu server

  • 772

I have been given the task of updating the certificate for one of our clients on their server. Problem is, not only have I never done this before, but the process involved on all the sites I have read seems to not work for me.

Firstly, I never supplied my client with a key file before they got the new certificate, I was under the impression they needed that to generate it.

Secondly, the only other certificate file on the server is a generic looking one from Verisign, not domain specific like the new one I have been sent.

Lastly, the one I have been sent is a .cer file which is apparently as good as a .crt file but its making me more suspicious that its the wrong certificate.

My ssl.conf that refers to the certificates is like so;

SSLCertificateFile /etc/httpd/ssl/ssl.cert.pem
SSLCertificateKeyFile /etc/httpd/ssl/ssl.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt <<< This is the verisign one

So, basically, I have a .cer file, a conf and a server and none of it seems right to me. I'd really love any help.

Thanks,

Christian

ubuntu ssl

1 Answers

  1. Best Answer

    You've got a lot of learning ahead of you. SSL is a tricky pest. The first question is: is the currently-installed certificate a valid one (issued by a "real" CA, etc) for the domain they're hosting (modulo expiry dates)? If it is, things are a bit easier.

    Oh, BTW, whoever set this up previously was obviously a bit of a RHEL freak, because /etc/httpd isn't where Ubuntu keeps it's stuff. That might bite you down the line.

    For a start, the "Verisign" cert in /etc/httpd/ssl/ca.crt isn't the end-user certificate, it's the certificate of the CA that issued the previous certificate. That might need to change if you're getting a new certificate from a different CA.

    It sounds like, if it's a renewal (and the previous cert on there is valid), the new cert may have been generated from the existing key. That's fine -- the key is private, after all, and doesn't need to change each year. To check if they line up, run:

    openssl rsa -noout -in /etc/httpd/ssl/ssl.key -text
openssl x509 -noout -in /new_cert_file.cer -text

    And check the modulus data output by each of those commands. If they're the same, then the new cert was generated from the old key, and all will probably be OK. If they're different, then you'll need to get the key that the cert was generated from, and use that. If openssl complains about the cert file being in an invalid format, then your guess was right that the file is no good, and it'll need to be converted or reissued. (In that case, paste the cert file and someone might recognise the format and be able to tell you how to convert it).

    To install the new cert (and possibly the key) rename the existing files out of the way and then copy the new files into place. Restart Apache (a full restart is safest, but if you only changed the cert a reload should do the trick). Check that Apache came back up, and accessing the site with HTTPS should report the new expiry date on the cert. If there are problems, it's best to move the old files back into place (that's why we moved them out of the way in the first place) and then examine the errors in the logs to see what went wrong and how to fix it.

    • 6