During a vulnerability scan, a vulnerability is reported for an expired SSL certificate for port 443 which corresponds to the httpd (Apache) process.
- Follow the steps to request and extract the new certificate files in Requesting and Configuring New SSL Certificates.
Configure Apache server:
- Enter the following command to decrypt the key:
openssl rsa -in ssl.key -out ssl.newkey
- Run these commands to edit the
/etc/httpd/conf.d/ssl.conffile to add the servername that matches the CN on the certificate and to uncomment the CA chain file
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf_`date +%Y%m%dT%H%M%S`
sed -i 's/#ServerName www.example.com:443/ServerName <servername>:443/'
sed -i 's/#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt/SSLCertificateChainFile
- Run the following commands to copy the certificate files to the locations specified in the
cp ssl.crt /etc/pki/tls/certs/localhost.crt
cp sslca.crt /etc/pki/tls/certs/server-chain.crt
cp ssl.newkey /etc/pki/tls/private/localhost.key
Or, configure the
SSLCertificateKeyFile in the
/etc/httpd/conf.d/ssl.conf file to point to the new certificate files (.crt and .key) in whichever working directory you put them in.
- Additionally, confirm that the SSLProtocol line is present in the
/etc/httpd/conf.d/ssl.conffile to avoid any vulnerability alerts regarding SSLv3/TLSv1.
- Cycle/restart the HTTP server
Stopping httpd: [ OK ]
Starting httpd: [ OK ]