Overview
During a vulnerability scan, a vulnerability is reported for an expired SSL certificate for port 443 which corresponds to the httpd (Apache) process.
Solution
- Follow the steps to request and extract the new certificate files in Requesting and Configuring New SSL Certificates.
Configure Apache server:
- Enter the following command to decrypt the key:
openssl rsa -in ssl.key -out ssl.newkey
- Run these commands to edit the
/etc/httpd/conf.d/ssl.conf
file to add the servername that matches the CN on the certificate and to uncomment the CA chain file
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf_`date +%Y%m%dT%H%M%S`
sed -i 's/#ServerName www.example.com:443/ServerName <servername>:443/'
/etc/httpd/conf.d/ssl.conf
sed -i 's/#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt/SSLCertificateChainFile
/etc/pki/tls/certs/server-chain.crt/' /etc/httpd/conf.d/ssl.conf
- Run the following commands to copy the certificate files to the locations specified in the
/etc/httpd/conf.d/ssl.conf
file:
cp ssl.crt /etc/pki/tls/certs/localhost.crt
cp sslca.crt /etc/pki/tls/certs/server-chain.crt
cp ssl.newkey /etc/pki/tls/private/localhost.key
Or, configure the SSLCertificateFile
and SSLCertificateKeyFile
in the /etc/httpd/conf.d/ssl.conf
file to point to the new certificate files (.crt and .key) in whichever working directory you put them in.
- Additionally, confirm that the SSLProtocol line is present in the
/etc/httpd/conf.d/ssl.conf
file to avoid any vulnerability alerts regarding SSLv3/TLSv1. - Cycle/restart the HTTP server
/etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Comments
0 comments
Please sign in to leave a comment.