Introduction
During the Installation, there will be a self-signed SSL-Certificate(v1) generated, based on (in the setup process) specified host name and domain, to enable https-access to the WUI of IPFire via port 444.
If you change the host name and/or domain name afterwards, then the SSL-Certificate has to be rebuilt, otherwise the browser will not only complain about the self-signed certificate, but also about the lack of conformity between the URL and the SSL certificate included.
Generating an SSL certificate is not difficult, if you follow a few things and know, where the SSL certificate is stored.
Step-by-step Instructions
Backup the existing keys and certificates
The server.key, server-ecdsa.key and the corresponding SSL-Certificates are stored in the folder /etc/httpd of a standard IPFire installation.
At first you should backup the existing certificates which you want to replace.
Use the commands:
cp server.key server.key.old &&
cp server.csr server.csr.old &&
cp server.crt server.crt.old
cp server-ecdsa.key server-ecdsa.key.old &&
cp server-ecdsa.csr server-ecdsa.csr.old &&
cp server-ecdsa.crt server-ecdsa.crt.old
to save the existing files:
- [certificatename].key (private key, essential to create CSR and SSL-Certificate)
- [certificatename].csr (CSR (Certificate Signing Request), Request-file to build an SSL-Certificate)
- [certificatename].crt (the SSL-Certificate)
in the current folder (/etc/httpd)
where [certificatename] covers both server and server-ecdsa names.
Create new private keys
| Note! |
|---|
| All SSL-certificates, which are based on the old server.key or server-ecdsa.key, will be invalid through a new private key! |
Use these commands:
openssl genrsa -out server.key 4096
openssl ecparam -genkey -name secp384r1 -noout -out server-ecdsa.key
to create new rsa and ecdsa private keys without a pass phrase.
Generate new CSRs (Certificate Signing Request)
Use these commands:
openssl req -new -key server.key -out server.csr
openssl req -new -key server-ecdsa.key -out server-ecdsa.csr
to create the new rsa and ecdsa CSRs.
| Note! |
|---|
| It is important, to set the Common name to the correct host name & domain name (e.g. ipfire.my-domain) of your IPFire-System |
Create new SSL-Certificates
RFC2818 has deprecated falling back to the commonName field since May of 2000. The use of the subjectAltName field has been enforced in Chrome since version 58 (see Chrome 58 deprecations).
OpenSSL accepts x509v3 configuration files to add extended configurations to certificates (see the subjectAltName field for configuration options).
So first , you create config file to add Subject Alternative Name to your certificate
touch v3.ext
Then edit the file and add the following configuration details. Beware your subjectAltName corresponds to the Common name used earlier; you can also add other AltNames
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:example.com, DNS:*.example.com, IP:1.2.3.4
issuerAltName = issuer:copy
Once you got v3 config file ready, proceed to issuing final certificates
Use these commands:
openssl x509 -req -days 999999 -in server.csr -signkey server.key -out server.crt -extfile v3.ext
openssl x509 -req -days 999999 -in server-ecdsa.csr -signkey server-ecdsa.key -out server-ecdsa.crt -extfile v3.ext
to create new self-signed SSL-Certificates.
Restart the Apache web server
Use this command:
/etc/init.d/apache restart
to restart the web server.
If you want to check the new certificate, just start your browser, access the WUI of your IPFire via https://