SSL Certificate auto replacement

william_syd

1,608
+0/-0
Nothing to see here.

SSL Certificate auto replacement

« on: July 14, 2006, 04:41:11 PM »

Does the certificate at -

Code: [Select]

/etc/httpd/conf/ssl.crt/server.crt

ever get replaced by SME at anytime ?

Logged

Regards,
William

IF I give advise.. It's only if it was me....

jfarschman

406
+0/-0

SSL Certificate auto replacement

« Reply #1 on: July 18, 2006, 04:58:48 PM »

Yes, It's generate when you change the server name, and I believe when it expires it is also regenerated.

Or so I am assuming. I never tested this.

Logged

Jay Farschman
ICQ - 60448985
jay@hitechsavvy.com

CharlieBrady

6,918
+3/-0

SSL Certificate auto replacement

« Reply #2 on: July 18, 2006, 05:29:10 PM »

Quote from: "jfarschman"

Yes, It's generate when you change the server name, and I believe when it expires it is also regenerated.

No, SME server's self-generated and self-signed certificate is elsewhere. The referenced file is never used and is never replaced or regenerated. I don't know off the top of my head where it comes from. I've never looked, and didn't know it existed until OP mentioned it.

Logged

william_syd

1,608
+0/-0
Nothing to see here.

SSL Certificate auto replacement

« Reply #3 on: July 18, 2006, 06:05:39 PM »

Thanks for that.

I knew the one here

Code: [Select]

/home/e-smith/ssl.crt/
got change but wasn't sure if

Code: [Select]

/etc/httpd/conf/ssl.crt/
got changed, copied and renamed to the e-smith location.

I've put together a little How-To on CA signed certs based on the RedHat manual and the above is where they put their certs.

http://no.longer.valid/phpwiki/index.php/Creating%20a%20CA%20signed%20SSL%20Certificate

Logged

Regards,
William

IF I give advise.. It's only if it was me....

CharlieBrady

6,918
+3/-0

SSL Certificate auto replacement

« Reply #4 on: July 18, 2006, 06:16:41 PM »

That file is created during the installation of the mod_ssl RPM:

[root@test7 ~]# rpm -qf /etc/httpd/conf/ssl.crt/
mod_ssl-2.0.52-22.ent.centos4
[root@test7 ~]# rpm -qf /etc/httpd/conf/ssl.crt/*
mod_ssl-2.0.52-22.ent.centos4
file /etc/httpd/conf/ssl.crt/server.crt is not owned by any package
[root@test7 ~]# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077

if [ ! -f /etc/httpd/conf/ssl.key/server.key ] ; then
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > /etc/httpd/conf/ssl.key/server.key 2> /dev/null
fi

FQDN=hostname
if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain
fi

if [ ! -f /etc/httpd/conf/ssl.crt/server.crt ] ; then
cat << EOF | /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
fi
[root@test7 ~]#

Logged