For the last few days I have been getting emails from my server to the tune of:
################# SSL Certificate Warning ################
Certificate for hostname ‘myserver.example.com’, in file:
/etc/pki/tls/certs/myserver.example.com.cert
The certificate needs to be renewed; this can be done
using the ‘genkey’ program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
which leads me to believe my certificate has expired. I logged into my site and sure enough, it expired 30-days after I created it. I don’t think I have ever had a certificate with such a short life.
It looks like the genkey program for CentOS (and probably other distributions) has a default creation length of 30-days:
Usage: genkey [options] servername
–test Test mode, skip random data creation, overwrite existing key
–genreq Just generate a CSR from an existing key
–makeca Generate a private CA key instead
–days Days until expiry of self-signed certificate (default 30)
Also note the lack of a renew option, something you would expect to see since the message states it needs to be renewed. After searching forums and archives and getting a smattering of RTFM responses and dead ends, I dug into it.
- Delete the old certificate pair in /etc/pki/tls/certs/ and /etc/pki/tls/private/. One ends in cert, one ends in key.
-
Run "genkey example.com --days 1825" (if you want a 5-year certificate).
- Restart apache (service httpd restart)
That’s it. Truthfully, there is no renew anywhere, certificates aren’t really renewable, you just have to generate new ones each time.
I hope this helps those who received the cryptic message, you can finish your cereal and not be late to work today.
I enjoy this site, it is worth me coming back