Generate the new key
root@vimes:/etc/ssl# openssl genrsa -aes256 -out ./private/star.kumari.net-20110723.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................................................+++ .................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for ./private/star.kumari.net-20110723.key: Verifying - Enter pass phrase for ./private/star.kumari.net-20110723.key:
Get the info from the old CSR
root@vimes:/etc/ssl# openssl req -in star.kumari.net.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Virginia, L=Sterling, O=Warren Kumari, OU=Warren Kumari, CN=*.kumari.net/emailAddress=warrenkumari.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a1:a1:f4:8a:50:e3:71:ee:4e:d2:3d:51:97:2c:
[SNIP]
94:e9:1f:e7:07:e1:90:1e:ab
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
71:b5:82:16:4f:7e:c9:f8:e9:3e:55:fe:86:d9:b9:e9:13:a2:
[SNIP]
23:7d:1f:68:38:5d:ca:12:f9:1e:44:3c:e4:47:a5:be:09:ac:
0b:6b
Now generate a new CSR
root@vimes:/etc/ssl# openssl req -new -key ./private/star.kumari.net-20110723.key -out star.kumari.net-20110723.csr Enter pass phrase for ./private/star.kumari.net-20110723.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Virginia]: Locality Name (eg, city) [Sterling]: Organization Name (eg, company) [Warren Kumari]: Organizational Unit Name (eg, section) [Warren Kumari]: Common Name (eg, YOUR name) [Warren Kumari]:*.kumari.net Email Address [warren.at.kumari.net]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
root@vimes:/etc/ssl# ls certs openssl.cnf private star.kumari.net-20110723.csr star.kumari.net.csr wildcard.kumari.net.csr www.kumari.net_godaddy.csr
And provide the CSR to the CA
root@vimes:/etc/ssl# more star.kumari.net-20110723.csr -----BEGIN CERTIFICATE REQUEST----- MIIC4jCCAcoCAQAwgZwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTER MA8GA1UEBxMIU3RlcmxpbmcxFjAUBgNVBAoTDVdhcnJlbiBLdW1hcmkxFjAUBgNV [SNIP] e+WZXl16+MwNDk0tBQsOn2Z0ppC60O42wouMOIMJD904WS/72/NbDsxVmkmfig/Y UqrjcdnOXYfkzOfitv2TWlMwW7WtGQ== -----END CERTIFICATE REQUEST-----
Installing / using the new certificate
If you end up with a certificate that needs an intermediate certificate, there are a few options.
Apache knows how to deal with these using the SSLCACertificateFile option.
# We want SSL for this site.
SSLEngine On
# Cert and key locations
SSLCertificateFile /etc/ssl/certs/star.kumari.net-20110723.crt
# Intermediate cert.
SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA_bundle.pem
# And the key...
SSLCertificateKeyFile /etc/ssl/private/star.kumari.net-20110723.key
Postfix (and others)
Some software doesn't understand handing out intermediate CA certificates, but this can sometimes be worked around by putting both the certificate and the intermediate cert in one file.
Create the combined pem file:
$ cat star.kumari.net-20110723.pem RapidSSL_CA_bundle.pem > star.kumari.net-20110723-bundle.pem
Now tell Postfix about it:
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/star.kumari.net-20110723-bundle.pem
smtpd_tls_key_file=/etc/ssl/private/star.kumari.net-20110723.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache