Renew website certificate

From CES IT Wiki
Jump to navigation Jump to search

How to update a security certificate for a website

[edit | edit source]

If renewing a certificate currently installed, you do not need to generate the csr or key files. Just go to step 4 and renew the certificate and download the .cer file. It will match the already installed .key file. Our current web server (Rodeo-Five) uses Nginx instead of Apache

  1. Generate the CSR file on the web server
    1. Log in via SSH
    2. Enter the following command:
      • openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
    3. Enter the following details:
      • Common name: ces.fas.harvard.edu
      • Organization: President and Fellows of Harvard College
      • Department (OU): Center for European Studies
      • City: Cambridge
      • State: Massachusetts
      • Country: US
    4. The new CSR and Key file will generate in the current user /home/ folder
  2. Copy the CSR to local machine
    1. From local machine, open a CMD window
      • scp -r username@host.ip:/home/username/cert_name.csr C:/local_folder
      • The -r switch will move the whole folder. Do this to create a backup of the key file off server
  3. Upload CSR to InCommon
    1. Log into InCommon with federated login
    2. Go to certificates tab and select Renew or Replace
    3. Submit the text of the CSR file
    4. Wait for approval
  4. Download the new certificate
    1. On Incommon, select Details then by "Download the Certificate," click Select
    2. Select the "Certificate Only" option
  5. Copy new .cer to server
    • scp C:/local_folder/cert_name.cer username@host.ip:/home/username
  6. Move .cer and Key files to correct folders
    • This assumes the names are different from the already installed files. They will be overwritten if the same name.
    • sudo mv cert_name.cer /etc/ssl/certs
    • sudo mv key_file_name.key /etc/ssl/private
    1. Rename old .cer and .key files.
    2. Append with .old. Easiest to do if in the correct directory
      • sudo mv old_cert_name.cer old_cert_name.cer.old
      • To access /private/ to change the .key file name, you must change to root sudo -i. Be extremely cautious while doing this and immediately disconnect and reconnect as sudo user after renaming old and new Key files
  7. Rename new .cer and Key files to match Nginx file
    1. These will replace the naming of the files just renamed .old
      • sudo mv ces_fas_harvard_edu.cer ces.fas.harvard.edu.cer
      • Repeat for key file as root user
    2. Confirm filenames are correct in Nginx ssl.conf file
      • sudo nano /etc/nginx-sp/vhosts.d/ssl.conf
    3. If the name changes are correct, the ssl.conf file should point straight at them already
    4. Update the dates on the certificate in the comments
  8. Restart the Nginx service
    • sudo systemctl restart nginx-sp
    • Should exit without error. If there is an error, the .cer and .key files likely do not match. Confirm that they are named correctly
    1. Test by going to website.
    2. Certificate authority on web page should be "Internet2"
Retrieved from "https://ces-wiki.fas.harvard.edu/index.php?title=Renew_website_certificate&oldid=1057"