A while ago I had to renew the SSL certificate for a website I'm taking care of.
How do I verify that a private key matches a certificate?
[codesyntax lang="bash"]
openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5
[/codesyntax]
How do I verify that a CSR matches a certificate match?
[codesyntax lang="bash"]
openssl req -noout -modulus -in server.csr | openssl md5
[/codesyntax]
If you see [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) in you apache error.log file means you have created a cert that is intended to be used to sign other certs, but you're using that cert as your SSL cert. So, it depends how you create the SSL cert.
But how can we solve this problem?!
1. Generate private key and certificate signing request
[codesyntax lang="bash"]
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 openssl rsa -passin pass:x -in server.pass.key -out server.key rm server.pass.key openssl req -new -key server.key -out server.csr
[/codesyntax]
Note: when the openssl req command asks for a “challenge password”, just press return, leaving the password empty.
2. Generate SSL certificate
[codesyntax lang="bash"]
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[/codesyntax]
Recent Comments