apache – Marvin's Blog

February 8, 2025

Renew SSL via openssl

MarvinApache apache, application, certificate, openssl, renewal, ssl 0

We all hate that feeling of walking into a warning “Your connection is not private/secure”

Here we will go over on how to renew the SSL certificate so your website doesn’t have this warning!

Remember that this tutorial is for Apache httpd (apache hypertext transfer protocol server)

Find the httpd configuration settings from config file via command

httpd -S

Find all the SSL listed inside the config file above

Decode old CRT online to get more information for input when creating new CSR below

here’s what I like to use: SSL Shopper Certificate Decoder

Here’s the command to get a new CSR

openssl req -new -key “path_to_the_key” -out “path_to_save_new_csr”

Submit the ticket to have SSL administrator purchase and provide CRT. . .

oh wait, are you the SSL administrator? ..well then, go ahead and open up an internet browser!

I would google something like “ssl certificate purchase” and pick whichever you feel comfy with.

I personally like DigiCert, GoDaddy, ComodoCA, and Namecheap but it’s just your preference.

You will be required to submit the CSR and make a payment to the certificate authority (CA).

Voila! now you have received a new CRT

Let’s put it into the httpd apache webserver

Run the following command (read the new certificate to your webserver)

openssl x509 -in server.crt -noout -issuer

Find the Intermediate issuer and Google to get the intermediate certificate

certificate authority (CA) usually gives you the intermediate certificate upon purchasing new SSL.

Download it as PEM and install on the server

the location will be provided on the configuration file found above, and all you have to do is download all new certificates and replace it with the existing one specified and/or change the path to direct to the new SSL files on the configuration file.

make sure you reload the daemon so it reads the new configuration!

check if the certificate has been updated correctly via command

openssl s_client -connect localhost:443 (change port number if necessary)

this command will allow you to check the certificate coming out of the localhost webpage. check certificate and see if it matches with newer version

collect the webpage’s certificate period via command

openssl x509 -in caca -noout -dates

Here’s the mechanism behind certificates

1) My browser checks the server certificate

2) It notices that it’s signed by the intermediate, and checks the intermediate

3) It notices that the intermediate is signed by a certificate my browser already trusts, the root