Guide to handling SSL certificates | dave.st

Overview

This is a guide to updating SSL certification on a Linux webserver running Nginx as a proxy.

Obtain necessary files

Cert.pfx or similar.
The GoDaddy certificate bundle of type "G2 With Cross to G1, includes Root". This is typically called gd_bundle-g2-g1.crt and can be downloaded from https://certs.godaddy.com/repository or retrieved directly from the Linux command line (see below).

Configure the required certificate file within a Linux shell

(Refer to: https://www.openssl.org/docs/man1.0.2/apps/pkcs12.html)

Export the client certificate from the .PFX file

Copy the Cert.pfx file to the Linux working directory.
Enter the following command to export the client certificate from the .PFX file (specifying no private keys). A password response may be required, typically "password":

openssl pkcs12 -in Cert.pfx -clcerts -nokeys -out new_mysite.crt

Obtain the GoDaddy certificate bundle from GoDaddy

Either download the gd_bundle-g2-g1.crt file via a browser and transfer it to the Linux working directory or enter the following command to download it:

curl -O https://certs.godaddy.com/repository/gd_bundle-g2-g1.crt

Or convert a P7B bundle file (for example gd-g2_iis_intermediates.crt)

openssl pkcs7 -print_certs -in gd-g2_iis_intermediates.p7b -out gd-g2_iis_intermediates.crt

Add the GoDaddy bundle to the client certificate file

Enter the following command to append the GoDaddy file to the end of the new client certificate:

cat ./gd_bundle-g2-g1.crt >>./new_mysite.crt

Or

cat ./gd-g2_iis_intermediates.crt >>./new_mysite.crt

Configure the required RSA key file within a Linux shell

(Refer also to: https://www.openssl.org/docs/man1.0.2/apps/rsa.html)

Export a private key from the .PFX file

Enter the following command to export a private key from the .PFX file (specifying no certificates and no des private key encryption). A password response may be required, typically "password":

openssl pkcs12 -in Cert.pfx -nocerts -nodes -out new_mysite_priv.key

Create an RSA version of the private key

Enter the following command to convert the private key to RSA format:

openssl rsa -in new_mysite_priv.key -out new_mysite_rsa.key

Install the new certification and restart Nginx

Background information

The path to the certificate files is /etc/nginx/keys and is defined in /etc/nginx/conf.d/default.conf.

Install new files

Enter the following commands to copy the new files over the existing ones and restart the Nginx server process (note use of sudo to avoid permission problems):

sudo bash -c "cp ./new_mysite.crt /etc/nginx/keys/mysite.crt"
sudo bash -c "cp ./new_mysite_rsa.key /etc/nginx/keys/mysite.key"
sudo service nginx restart

Profit

Tags

drupal nous

Design by Adaptive Theme