-
Notifications
You must be signed in to change notification settings - Fork 18
SSL Notes
It is important web sites use secure communication to protect the user's password.
https cert:
jdarchive.org uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for any server names. The certificate expired on 12/13/13 6:39 PM. The current time is 12/2/15 3:29 PM.
The dev server has an old self-signed cert:
The certificate is not trusted because it is self-signed. The certificate is not valid for any server names. The certificate expired on 1/15/14 1:34 PM. The current time is 12/2/15 9:51 AM.
This was obtained by going to https://dev.jdarchive.org/spacemansteve/web/en/search#view_type=event&media_type=&sort=relevant&
The config file /etc/apache2/sites-available/ssl-default includes the location of the ssl cert file:
default-ssl: SSLCertificateFile /etc/ssl/certs/apache.crt
Using the shell command "openssl x509 -in /etc/ssl/certs/apache.crt -noout -text" reveals:
Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=MA, L=Cambridge, O=Zeega Validity Not Before: Jan 15 18:34:19 2013 GMT Not After : Jan 15 18:34:19 2014 GMT Subject: C=US, ST=MA, L=Cambridge, O=Zeega
Since the cert exploration from the browser matches openssl's "Not After" time, I'm confident apache is really using this cert file. According to https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04, one can create a self-signed cert. I used:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/apacheNew.key -out /etc/ssl/certs/apacheNew.crt
The above Subject information can be used to help create a new key.
The ssl-default was changed to:
SSLCertificateFile /etc/ssl/certs/apacheNew.crt SSLCertificateKeyFile /etc/ssl/private/apacheNew.key
and the apacheNew.key file was copied to the private directory. After an apache restart (sudo service apache2 restart), the new cert was being used.