Certwatch SSL certificate expiry warning

If you have just received an e-mail similar to the one below, read on.

From: root@your.domain.org To: sysadmin@your.domain.org Subject: The certificate for server.your.domain.org will expire in 13 days Date: yesterday (BST) ################# SSL Certificate Warning ################ Certificate for hostname ‘sws.hlan.laczik.org’, in file (or by nickname): /etc/pki/tls/certs/localhost.crt The certificate needs to be renewed; this can be done using the ‘genkey’ program. Browsers will not be able to correctly connect to this web site using SSL until the certificate is renewed. ########################################################## Generated by certwatch(1)

For a change, there is a simple fix:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key
Generating a 2048 bit RSA private key …………+++ ……………+++ writing new private key to ‘/etc/pki/tls/private/localhost.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:My County Locality Name (eg, city) [Default City]:My Place Organization Name (eg, company) [Default Company Ltd]:Us Organizational Unit Name (eg, section) []:Me Common Name (eg, your name or your server’s hostname) []:server Email Address []:sysadmin@your.domain.org

Alternative command and detailed explanation from letsencrypt.org:

openssl req -x509 -out localhost.crt -keyout localhost.key \ -newkey rsa:2048 -nodes -sha256 \ -subj ‘/CN=localhost’ -extensions EXT -config <( \ printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

Leave a Reply

Your email address will not be published.