wiki:maintain/SSL
Last modified 3 years ago Last modified on 12/29/16 17:23:03

How to re-sign the certificate

GlobalSign

We can't use StartCom anymore (see https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/), so we asked GlobalSign and it has kindly agreed to sponsor a certificate.

The certificate can be requested at the following URL: https://www.globalsign.com/en/ssl/ssl-open-source/ .

Obsolete

See http://www.midnight-commander.org/ticket/2578 for details.

If you want to create new private key, run:

openssl  genrsa -out midnight-commander.org.key 2048

If you want just re-sign certificate, get the private key from m-c.o server (placed by path /etc/pki/tls/private/midnight-commander.org.key) and run the command:

DOMAIN_NAME="www.midnight-commander.org"

expect -c '
set timeout -1
spawn openssl req -new -key midnight-commander.org.key -out midnight-commander.org.csr
match_max 100000
expect "Country Name"
send -- "MC\r"
expect "State or Province Name"
send -- "'${DOMAIN_NAME}'\r"
expect "Locality Name"
send -- "'${DOMAIN_NAME}'\r"
expect "Organization Name"
send -- "'${DOMAIN_NAME}'\r"
expect "Organizational Unit Name"
send -- "'${DOMAIN_NAME}'\r"
expect "Common Name"
send -- "'${DOMAIN_NAME}'\r"
expect "Email Address"
send -- "\r"
expect "A challenge password"
send -- "\r"
expect "An optional company name"
send -- "\r"
expect eof
'

If you don't have the expect utility, you may manually run the command:

openssl req -new -key midnight-commander.org.key -out midnight-commander.org.csr

And fill all fields as it provided in script.

After this, register or login to https://www.startssl.com, validate (if needed) m-c.o domain and run 'Certificates Wizard' tab on webpage. Skip generation of private key and insert content of midnight-commander.org.csr file to the textarea on webpage. Next, press 'Continue' button and copy content from textarea to midnight-commander.org.crt file. Copy midnight-commander.org.crt file to /etc/pki/tls/private/midnight-commander.org.crt on m-c.o server. Log in to m-c.o server via ssh and run:

sudo su -
/etc/init.d/nginx restart

That's all.

Attachments