Replacing Expired SSL certificate for Port 443/Apache

Overview

During a vulnerability scan, a vulnerability is reported for an expired SSL certificate for port 443 which corresponds to the httpd (Apache) process.

 

Solution

Configure Apache server:

  • Enter the following command to decrypt the key:
openssl rsa -in ssl.key -out ssl.newkey
  • Run these commands to edit the /etc/httpd/conf.d/ssl.conf file to add the servername that matches the CN on the certificate and to uncomment the CA chain file
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf_`date +%Y%m%dT%H%M%S`

sed -i 's/#ServerName www.example.com:443/ServerName <servername>:443/'
/etc/httpd/conf.d/ssl.conf

sed -i 's/#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt/SSLCertificateChainFile
/etc/pki/tls/certs/server-chain.crt/' /etc/httpd/conf.d/ssl.conf
  • Run the following commands to copy the certificate files to the locations specified in the /etc/httpd/conf.d/ssl.conf file:
cp ssl.crt /etc/pki/tls/certs/localhost.crt

cp sslca.crt /etc/pki/tls/certs/server-chain.crt

cp ssl.newkey /etc/pki/tls/private/localhost.key

Or, configure the SSLCertificateFile and SSLCertificateKeyFile in the  /etc/httpd/conf.d/ssl.conf file to point to the new certificate files (.crt and .key) in whichever working directory you put them in.

  • Additionally, confirm that the SSLProtocol line is present in the  /etc/httpd/conf.d/ssl.conf file to avoid any vulnerability alerts regarding SSLv3/TLSv1.
  • Cycle/restart the HTTP server
/etc/init.d/httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

 

Comments

0 comments

Please sign in to leave a comment.