Join Sean Colins for an in-depth discussion in this video Renewing a certificate, part of Understanding Secure Sockets Layer.
- So we've successfully revoked our certificate, now we just need to complete the next two steps in this process. And one of them is technically out of order. The request for a new certificate can happen from the server that we're doing it on because everything is self-enclosed on our test system. Or you could have someone doing this from an external server in which case they would make a request based on their private key, and they'd send it to you, answer that request, you'd approve it, and you'd send them back a renewed certificate.
So we haven't done that initial certificate request yet. In this movie, we're going to make the request, and we're also going to issue a new certificate based on that request. So let's get started with that. As you can see, openssl, and we're gonna use request, request new nodes. We're gonna generate an out file at, and I'm typing these things really literally, so you know exactly where they are. But I'm also in some movies giving you examples of places where you can cd into a directory, then print your working directory, and then not have to type out full pathways.
I'm doing both so that you get a sense of how this works. This is more to give you a sense of where you are in the system here. So openSSL/groundswell. I was hitting tab to autocomplete, and it was beeping at me telling me no, that doesn't exist there. And it was because I was thinking I was someplace else. And so there we are, groundswell/req/. There we are. And I'm going to call this something completely ridiculous. Something so that you know that it's different. Right, because in our environment, we've got groundswell, we've got caq, we've got groundswell a key, etc.
I'm gonna call this one fizzy. Because fizzy is really different. And this is our fizzy request. And what that's going to do, is it'll generate the thing, and it'll ask us for our information as you've seen before. Right, so state locality, organization. And I can even change this organization name. The thing is, you probably don't want to do that, because we're supposed to be creating a renewed certificate. Right, so we're gonna keep this the same. Organizational unit. And your common name.
And I'm skipping the email address as before. Extras, again, don't use a password like that, please, ever. And we're done, ok. And you saw the file system over here change as I did that. And we got, there it is. There's our fizzy request. (laughs) So at least it's there and at least we know what it is, right? I mean that really does make it very very different. So that's step one. So assuming that's happened now. You've done that either here or on your own server, or that has been done by someone who's asking you to renew something. They're gonna send you a new request.
Right, so you've gotta have that new request in order for this next part to work. So this next part is going to approve and sign the request and generate a new certificate that is not revoked. Right, so here we go. Again, we're going back to telling it where that config file is. There we are. And once again we're also telling it what the policy is. Then we need to tell it where the out files are. And I'm literally going to call this one fizzycert. So that's my out file. This is what I'm going to create with my new request.
And this is basically saying that the in files are located in the requests folder. And that the request I want it to read is my fizzy request. And there we go. I apologize if anybody thinks this is silly, but I do try to throw a little bit of levity into things because otherwise, man, this gets dry. Alright, here we go. So we're gonna hit enter, and this is going to go. Just to recap, openssl, hey, the certificate authority. We're going to configure using this configuration file. We're gonna set a policy of pretty much anything.
And out, we're going to push out this fizzycert.pem. This is going to be our new cert file. Right, so I'm being silly here. Don't be silly in your environment. Be serious. We're gonna use an in file, and that in file is located over here in the requests folder inside of openssl/groundswell, this is where our ca is, and this is where the requests folder is, and it's called fizzy. And that's what it looks like if you were looking at it in the Finder in a graphical user interface. So, hitting return, and it's gonna ask us that pass-phrase that we've set.
And hit return. And it gives us all of our details. Right, serial number two because this is our second certificate, and it's serializing them, and that's awesome. The first one was serial number one. Right, and it tells us that this going to be valid from today until 2015, so it's giving us a year to make this all good. Do we wanna sign it? Yes we do! And one out of one certificate requested was certified, do we wanna commit this? Yes we do. And it tells us right here that it was certified for another 365 days, which is fantastic, because that gives us another year of functionality on this certificate.
And we are renewed. We are done. The rest of this is the same process as it was at the end of chapter five, where we would then make this certificate available to folks, and so forth. And that is all, on a self-signed environment. Of course in a public system where you have a public certificate, you would of course send that certificate signing request up to the ca in the cloud. So this would be Verisign, or Network Solutions, whoever. And then they would key and replace, and of course all of their web sites are different.
Every system is different. And so navigating those systems, there's not much value in showing you those, because it's different with all of them, you can choose any one of dozens. And that is it. So we are done renewing our certificate. That is what you will need to do in order to keep your certificate sort of rolling forward into the future.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.