Reading Time: 8 minutes

Why do I Need to Install or Reinstall My SSL Certificate?

According to Globalsign

The Certificate Authority (CA) industry was alerted of compliance implications related to the inclusion of a specific extension (OCSP-signing extended key usage) in CA certificates which has, under certain conditions, unintended compliance and security implications. A number of GlobalSign Issuing CAs have been impacted by this issue. While no key compromise or security incident has taken place, we will be revoking these Issuing CA’s as part of our remediation plan in accordance with the CA/B Forum Baseline Requirements and the GlobalSign CPS. Revoked intermediate certificates can cause errors in the validation of certificates signed by these Intermediate Certificates.

GlobalSign.com

So, What Exactly Does This Mean?

It means that one of the base certs which validates your SSL certificate was found to have had a flaw. Although no security issues have been seen, GlobalSign has opted to revoke that base certificate as a precautionary measure to ensure no compromises affect its clients. 

What is the Next Step?

GlobalSign is asking you to search your server for any affected certificates and either replace or reissue them using the steps outlined by GS below. 

Reissuing an Existing SSL Certificate

Globalsign has asked clients affected by this issue to take the following steps.
1. Search For Impacted Certificates at GlobalSign
2. Reissue any affected SSL Certificates
3. Install New Certificates (select the server type on this page, e.g., Apache, Nginx, IIS)

What if I Need a New SSL Certificate?

In that case, we have outlined the steps below you need to take to install a new SSL certificate

Obtaining a New SSL Certificate

In order to create a new SSL certificate, we must follow these steps.

1. Generate a CSR — Create a new Certificate Signing Request.

2. Purchase a Certificate — Send the CSR to GlobalSign and pay for the order. They then vet the info and provide a signed certificate.

3. Install the Certificate — We then install the SSL on the server. Typically, this falls under the Apache configuration.

Below, we provide greater detail to accomplish this task on both Core Managed CentOS and Unmanaged CentOS Servers

To obtain a new SSL certificate, you must first generate a CSR or Certificate Signing Request. Next, you must submit your CSR to GlobalSign the get a new SSL. Once you have ordered your certificate and the vetting process is complete, you are now ready to install your certificate. You can obtain a copy of your certificate at any time via your GlobalSign Certificate Center (GCC) account. It will also be emailed to you as well. 

Note:
Before installing your SSL certificate, you will need to ensure you have two other certificates provided by Globalsign installed. These additional certificates, which can be downloaded here, are known as intermediate certificates and are linked to GlobalSign’s root certificate. These intermediate certificates are needed to ensure your clients’ browsers trust the SSL certificate you are installing.

Generate a CSR Certificate

We begin by generating a CSR to send to GlobalSign for your SSL using this command.

openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/private/mydomain.csr

(replacing “mydomain” with your domain name)

You will be prompted to answer a series of questions, noted below.

  • Country NameThis is the two-letter abbreviation for your country. For example, United States would be US, and Great Britain would be GB.
  • State or Province NameThis is the full name of the state your organization operates from. For example, this might be “California” or “Michigan.”
  • Locality NameName of the city your organization operates from. Examples might include “Lansing” or “Phoenix.” Don’t use abbreviations in this field. For example, “St. Helena” should be “Saint Helena.”
  • Organization NameThe name of your organization. If you are a business, use must use your legal name. If you are applying as an individual, you use your full name instead.
  • Organizational Unit Name If applying as a business, you can enter your “Doing Business As” (DBA) name here. Alternatively, you can use a department name here. For example, “IT Department” or “Web Administration.”
  • Common NameThe domain name that you are purchasing an SSL certificate for. This must be a fully qualified domain name (FQDN). An example might be mydomain.com.
  • Email AddressAn email address that can be used as a point of contact for your domain. Be sure the address is valid!
  • A challenge passwordAn optional password to further secure your certificate. Be sure to remember this password if you choose to use it. It must be at least four characters long. You can skip this step if you like.
  • An optional company nameAnother optional step. Fill in your company name if you wish. This is not required for web SSL certificates.

Key and CSR Files

In the current directory, you should see two new files. 

  • mydomain.csr
  • mydomain.key

The .key file should be kept private on your server. The .csr file is your new certificate signing request. This file contains the information that will be sent to a Certificate Authority. You can inspect the contents of the CSR by using the “cat” command.

cat mydomain.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC5jCCAc4CAQAwgaAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdBcml6b25hMRAw
DgYDVQQHDAdQaG9lbml4MRswGQYDVQQKDBJNeSBBd2Vzb21lIENvbXBuYXkxFjAU
BgNVBAsMDUlUIERlcGFydG1lbnQxFTATBgNVBAMMDG15ZG9tYWluLmNvbTEhMB8G
CSqGSIb3DQEJARYSYWRtaW5AbXlkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAsNljF8u2vvTGiSyStD/+4eInQnWlB30o38hWnF+bi6ZS
MmraeigL/HrSoKfUtj/z96PVeK9CFo0AZ12Tq9lBzXtqxSjboIcvr9lZvrycrEYR
qsepF8M18YOjyBfDzXIY13o5Sjnd4e0H7gZCldxy930LjJ1JQC0o4XAbxHd8k7A3
976uh2r6MPdnnQ65UG2vKnMa1MGfT9XTD6dQjj3ZpTqbdG4TnOPFlG4TNXu2zSYl
CX7XHjBKbGx5r/ohQBcqAYFpAMs/7E+gSbkK4jv9Mr8W1gC0CHSJkpT0tqcn+8Lj
1vMi3ysDed6bObC/OMBXAZY2lpALbHvnzy2NJPRPjwIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBABuUSRgBnv4R1k4UHGngmvQ63jjaZhO6URhQbFzb1e+XHeqou1F8
YSP17A8w23hLfXxs/NCOhQzAn9cFbBGy6dajqMjsCF3timGXHitsmUyswpG3k+dI
bWIsRaJPMSOOz9HcI7ztvN1zs6iiMCZkpI4G+9J5wBqddgXSH+/w5bCViqj0855O
APFUYUEFSB5jS5/e132F5zhcZV5vQ2bato8Zy58gzz5t+q5rn6uuzqc05kmBtDG8
B12RlUt2lBbl6sxQDKQbsM6snwn50H3Xszgn8kyR1VuXOqaKf1X1cCKRTSzYztUp
FeKV0mMwoC9XxX6YCz8eQy66RMVSm3hGI2Y=
-----END CERTIFICATE REQUEST-----

You will need to copy and paste the entire contents of the CSR file to your Certificate Authority when ordering a new SSL certificate. Be sure to include the lines that read 

-----BEGIN CERTIFICATE REQUEST-----

and 

-----END CERTIFICATE REQUEST-----

Order a New SSL Certificate

You can now order a new SSL from within your Manage Dashboard. Select Add and then SSL Certificate.

manage0ssl

Next, choose the manual option and paste in the csr that was generated above.

manage1ssl
manage2ssl

Lastly, click the Purchase SSL Certificate button.

manage3ssl

Install the SSL Certificate

To install the certificate when it arrives, copy the certificates into the typical location for these files - /etc/httpd/ssl folder on your server. This includes your server certificate, private key, and an intermediate certificate. Your server certificate can be obtained from the delivery e-mail. 

Next, open your Apache configuration file for editing. This will generally be found in one of the following locations

/etc/httpd/httpd.conf
or
/etc/httpd/sites-enabled/name-of-virtualhost.conf

Now, configure your virtual host to use the certificates. Locate the virtual host for your site in the httpd.conf file. It should look like the example below.

<VirtualHost xxx.xxx.x.x:443>
    DocumentRoot /var/www/examplesite
    ServerName example.com www.example.com
    SSLEngine on
    SSLCertificateFile /path/to/examplesite.crt
    SSLCertificateKeyFile /path/to/privatekey.key
    SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>

Point the following directives to the corresponding certificate located in the /etc/httpd/ssl folder.

SSLCertificateFile — This should point to your server certificate.
SSLCertificateKeyFile — This should point to your server's private key.
SSLCertificateChainFile — This should point to the intermediate certificate for your product.

Test your updated configuration by running the following command.

[root@host2 ~]# apachectl configtest 

or 

[root@host2 ~]# apache2ctl configtest

This will detect any errors in your configuration such as mismatched public and private keys, or an incorrect path.

Finally, restart Apache

[root@host2 ~]# systemctl restart httpd.service

Create a New Self Signed SSL Certificate

To create a Self-Signed SSL Certificate on CentOS, follow these commands.

First let’s check whether Apache has the SSL module enabled. 

 [root@host2 ~]# apachectl -M | grep ssl
 [root@host2 ~]#  

If it does not have this module installed, we can install it using this command.

[root@host2 ~]# yum -y install mod_ssl

Next, we restart apache so the server recognizes the changes.

[root@host2 ~]# service httpd restart

In verifying the module is now in place, we will rerun the command.

 [root@host2 ~]# apachectl -M | grep ssl
  ssl_module (shared) 

Now, we will create a new folder to store our private key.

[root@host2 ~]# mkdir /etc/httpd/ssl

Since the files stored within this directory must be kept private, we modify the folder permissions to ensure the root user is the only one who has access.

[root@host2 ~]# chmod 700 /etc/ssl/private

Create a CSR

Next, we will create the SSL key and certificate files using the openssl command. When creating a new CSR, you will be prompted for a series of questions regarding the information about the domain you are creating. Run the following command to begin. 

[root@host2 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

Generating a RSA private key
.......................................+++++
...........................+++++
writing new private key to '/etc/httpd/ssl/apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Michigan
Locality Name (eg, city) [Default City]:Lansing
Organization Name (eg, company) [Default Company Ltd]:Liquid Web Inc.
Organizational Unit Name (eg, section) []:Marketing
Common Name (eg, your name or your server's hostname) []:host2.g33k.fun
Email Address []:dsinger@liquidweb.com
[root@host2 ~]# 

Add the Self-Signed SSL Certificate to Apache

Next, we add the new certificate locations to our ssl.conf file to display the new SSL correctly. 

vim /etc/httpd/conf.d/ssl.conf

Find the section titled: “VirtualHost _default_:443” and add the following Virtual Host configuration on the next line. (on my server this section begins on line 40 on the default ssl.conf file)

 <VirtualHost _default_:443>
 ServerName host2.g33k.fun:443 

-or-

 <VirtualHost _default_:443>
 ServerName 64.92.237.88:443 

Note: The domain should be the same as the “Common Name” specified in the step above. 

Now, verify that the following variables are set appropriately within the same file: 

SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt 
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Make sure you add the file locations where the files can be located. Then exit and save the file with the command :wq.

Next, restart Apache

 [root@host2 ~]# systemctl restart httpd.service
 [root@host2 ~]# 

Finally, test your updated configuration by running the following command.

apachectl configtest 

or 

apache2ctl configtest

The output should be similar to the following.

 . . .
 Syntax OK 

This will detect any errors in your configuration such as mismatched public and private keys, or an incorrect path.

Finally, restart Apache again.

[root@host2 ~]# systemctl restart httpd.service

Testing

Open a web browser, and browse to the domain name or IP using https:// to verify the new certificate is active.

https://example.com

Your web browser will most likely show a warning that the website’s security certificate is not trusted. This is normal because our certificate is not signed by a known CA (certificate authority) like Thawte or GlobalSign. This warning simply means it is unable to verify the identity of the server that you are trying to connect to. We created a self-signed certificate instead of a trusted CA-signed certificate, so this makes perfect sense.

Once you add an exception to the browser’s identity verification, you will be allowed to proceed to your newly secured site.

Conclusion

Replacing an SSL on a core managed or unmanaged server is often time-consuming and adds a layer of complexity to an already complicated system. SSL are a necessity when dealing with today's' security conscious client. Demonstrating that you take security seriously only aids in providing a higher level of trust.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

Our Support teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article