Certwatch SSL certificate expiry warning

If you have just received an e-mail similar to the one below, read on.

From: root@your.domain.org
To: sysadmin@your.domain.org
Subject: The certificate for server.your.domain.org will expire in 13 days
Date: yesterday (BST)
################# SSL Certificate Warning ################
  Certificate for hostname 'sws.hlan.laczik.org', in file (or by nickname):
     /etc/pki/tls/certs/localhost.crt
  The certificate needs to be renewed; this can be done
  using the 'genkey' program.
  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.
 ##########################################################
                                  Generated by certwatch(1)

For a change, there is a simple fix:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/localhost.crt -keyout /etc/pki/tls/private/localhost.key
Generating a 2048 bit RSA private key
............+++
...............+++
writing new private key to '/etc/pki/tls/private/localhost.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:My County
Locality Name (eg, city) [Default City]:My Place
Organization Name (eg, company) [Default Company Ltd]:Us
Organizational Unit Name (eg, section) []:Me
Common Name (eg, your name or your server's hostname) []:server
Email Address []:sysadmin@your.domain.org

Alternative command and detailed explanation from letsencrypt.org:

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

Leave a Reply

Your email address will not be published. Required fields are marked *