Generating Apache SSL Self-Signed Certificate

# openssl req -x509 -newkey rsa:1024 -keyout /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.crt/server.crt -days 9999 -nodes
# chown root:root /etc/httpd/conf/ssl.key/server.key
# chmod 400 /etc/httpd/conf/ssl.key/server.key

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Generating CSR from existing key

openssl req -new -key server.key -out server.csr

Generating 2048 bit CSR

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

debug ssl cert with openssl

Commands used:

openssl s_client -connect host.domain.tld:443
openssl s_client -showcerts -connect host.domain.tld:443
openssl s_client -state -nbio -connect host.domain.tld:443 2>&1

Reference:
http://www.cyberciti.biz/tips/debugging-ssl-communications-from-unix-shell-prompt.html
http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/

very certificate and chain installed fine online

Remove passphrase from ssl key

openssl rsa -in passphrase.key -out nopass.key

CSR info

openssl req -text -noout -in /path/to/server.csr

SSL certificate information

  1. Full text information:
    # openssl x509 -text -in server.crt
  2. Issuer of the certificate:
    # openssl x509 -noout -in server.crt -issuer
  3. Issued to:
    # openssl x509 -noout -in server.crt -subject
  4. Valid dates:
    # openssl x509 -noout -in server.crt -dates
  5. All of the above:
    # openssl x509 -noout -in server.crt -issuer -subject -dates
  6. Hash value:
    # openssl x509 -noout -in server.crt -hash
  7. MD5 fingerprint:
    # openssl x509 -noout -in server.crt -fingerprint

Renewing self signed SSL certificate

After generating a renewed self-signed ssl cert, I got the below message:

You have received an invalid certificate...
Your certificate contains the same serial number as another
certificate issued by the certificate authority. 
Please get a new certificate containing a unique serial number.

With some digging, found that a new serial number can be set as below.

# openssl req -x509 -new -key /etc/httpd/conf/ssl.key/server.key  \
-out /etc/httpd/conf/ssl.crt/server.crt -days 9999 -nodes -set_serial 99999

man x509 for more info.

Comment