KBEC-00070 - Updating a Linux Apache Certificate

Description

On the Linux server, the name "localhost" can be set as the Apache's server name. This is annoying because browsers warn about a host name mismatch when the web UI is first visited.

Solution

  1. Download openssl.cnf to the apache/bin subdirectory of the install location (by default, /opt/electriccloud/electriccommander). CD to the apache/bin directory.

  2. Run the following command to create a private key and certificate signing request. It will be followed by multiple prompts. Enter "abcdef" as the passphrase (you will remove the passphrase in the next step). Leave the rest of the prompts blank EXCEPT for "Common Name." Set it to the host name that users will type when visiting the web UI, "cmdrserver.myhost.com" or just "cmdrserver" for example.

    Assuming that the install directory is $install, the data direcory is $data, and the directory in which to store the certificates is $out, the commands to run would be:

    . $install/bash.profile
    $install/bin/openssl req -config $data/conf/openssl.cnf -new -out $out/server.csr

    This creates privkey.pem and server.csr in your current directory.

    The above command creates a 1024 bit RSA key and a csr signed with SHA-1 hash. To generate a 2048 bit key and csr signed with SHA-256, use the following additional options:

    . $install/bash.profile
    $install/bin/openssl req -config $data/conf/openssl.cnf -new -out $out/server.csr -sha256 -newkey rsa:2048
  3. Use the following command to remove the passphrase from the key file you created above. If you choose not to do this, then each time you start up the Apache Server, a pop-up dialog is displayed prompting you to enter the passphrase.

    $install/bin/openssl rsa -in ./privkey.pem -out $out/server.key
  4. Create a temporary self-signed certificate that expires in 365 days.

    $install/bin/openssl x509 -in $out/server.csr -out $out/server.crt -req -signkey $out/server.key -days 365
  5. The certificate is now created. The new certificate and key will now be stored in $out/server.crt and $out/server.key. Copy server.crt and server.key to apache/conf, overwriting the old values (you may want to back them up before you do so).

  6. Modify httpd.conf in the apache/conf subdirectory. Search for the line that starts with "ServerName localhost:" and change localhost to the same host name you entered in the "Common Name" prompt when generating the certificate.

  7. Restart Apache by running:

    /etc/init.d/commanderApache restart
  8. Type in the server name in your web browser. The mismatch error should no longer occur.

Have more questions? Submit a request

Comments

Powered by Zendesk