Guide to handling SSL certificates

​​​Overview

​This is a guide to updating SSL certification.

​​​​​​Obtain n​​ecessary files

  • Cert.pfx or similar.
  • The GoDaddy certificate bundle of type "G2 With Cross to G1, includes Root". This is typically called gd_bundle-g2-g1.crt and can be downloaded from https://certs.godaddy.com/repository or retrieved directly from the Linux command line (see below).

Configure the requ​​ired certificate file wit​​​hin a Linux shell

(Refer to: https://www.openssl.org/docs/man1.0.2/apps/pkcs12.html​​)

​​​​​Exp​​​ort the client certificate from​ the .PFX file

  • Copy the Cert.pfx file to the Linux working directory.
  • Enter the following command to export the client certificate from the .PFX file (specifying no private keys). A password response may be required, typically "password":
    • ​openssl pkcs12 -in Cert.pfx -clcerts -nokeys -out new_mysite.crt

Obtain​ th​​e GoDa​ddy certificate bundle from GoDaddy

Or convert a P7B bundle file (for example gd-g2_iis_intermediates.crt​)

  • openssl pkcs7 -print_certs -in gd-g2_iis_intermediates.p7b -out gd-g2_iis_intermediates.crt​

Add the​​ GoDaddy bundle to the client ce​​rtificate file​

  • Enter the following command to append the GoDaddy file to the end of the new client certificate:
    • cat ./gd_bundle-g2-g1.crt >>./new_mysite.crt
  • Or
    • cat ./gd-g2_iis_intermediates.crt >>./new_mysite.crt​

Configure the req​​uired RS​A key file wit​hin a Linux shell

(Refer also to: https://www.openssl.org/docs/man1.0.2/apps/rsa.html)

​Export a private key f​​rom ​​t​​he .PFX file

  • Enter the following command to export a private key from the .PFX file (specifying no certificates and no des private key encryption). A password response may be required, typically "password":
    • openssl pkcs12 -in Cert.pfx -nocerts -nodes -out new_mysite_priv.key​

​Crea​te an RSA version o​​​f​​ the private key

  • Enter the following command to convert the private key to RSA format:
    • openssl rsa -in new_mysite_priv.key -out new_mysite_rsa.key

​Install the ​new certifica​​tion and r​​estart Nginx

Background info​​​​​​rm​​ation

  • The ​path to the certificate files is /etc/nginx/keys and is defined in /etc/nginx/conf.d/default.conf.

​​​Install ​​​new​​​ files

  • Enter the following commands to copy the new files over the existing ones and restart the Nginx server process (note use of sudo to avoid permission problems):
    • sudo bash -c "cp ./new_mysite.crt /etc/nginx/keys/mysite.crt"
    • sudo bash -c "cp ./new_mysite_rsa.key /etc/nginx/keys/mysite.key"
    • sudo service nginx restart

Profit

Tags: