OpenSSL is a free and open-source SSL solution that anyone can use for personal and commercial purposes. Although it is free, certificates created with it can expire, and you may need to renew them. This post will show you how to renew a self-signed certificate using the OpenSSL tool on a Linux server. If you are looking into creating a new self-signed certificate instead of renewing an existing one, please take a look at Six Easy Steps to Create a Self-Signed Certificate on Ubuntu Server
What do I need to know to renew my OpenSSL cert?
You must know the location of your current certificate that has expired and the private key. The majority of the Linux server administrator like to put the certificate files in the /etc/apache2/ssl directory. You can take a look at the /etc/apache2/ssl directory or for your existing cert file and the private key.
If you do not know where you kept your private key, do not worry; you can generate a new one using the following command. However, note that this new key will not restore access to anything associated with the lost key.
openssl genrsa -out /etc/apache2/ssl/mynew.key 2048
To renew the secure socket layer (SSL) cert, you need to follow two steps:
- create a CSR (certificate signing request)
- and generate the certificate with your private key.
Remember that you must need a private key before creating your CSR.
Scenario: for example, you have a certificate called apache.crt which has been expired and you want to renew it for the next 365 days.
The complete procedures you need to follow:
- Create a certificate signing request with the following command:
openssl req -new -key /etc/apache2/ssl/mykey.key -out /etc/apache2/ssl/new.csr
- Check your certificate signing request information using the following command:
openssl req -in /etc/apache2/ssl/new.csr -noout –text
Before creating the new certification, please rename the apache.crt file located in /etc/apache2/ssl so that you do not have to change anything in the apache configuration file.
openssl x509 -req -days 365 -in /etc/apache2/ssl/new.csr -signkey /etc/apache2/ssl/mykey.key -out /etc/apache2/ssl/apache.crt
Note: in the above command 365 is the number of days after which your new certificate will expire. The name of key file is mykey.key and the name of the certificate file is apache.crt. You need to change the name of the key and the CRT file name to match your existing certificate and the key file.
Next, restart apache2 server with the following command:
service apache2 restart
Finally, test the new expiry date of your certificate by running the following openssl command.
openssl x509 -in /etc/apache2/ssl/apache.crt -noout -enddate
