Self-Signed SSL Certificate / Certbot: Difference between revisions

Introduction

We self sign our SSL Certificates for our websites proxied at these machines:

• files2
• vav
• bksmailman

How To Self-Sign A Website(s)

Assuming that you are already running the software/app on httpd then we can begin.

1. The command is:

   • certbot --apache <options>

2. Usually, I just use the '-d' domain flag:

   • certbot --apache -d sample.docking.org

How To Remove SSL Cert From A Domain

1. You should only do this if UCSF IT gave you an SSL Cert to use or you are migrating a domain name to another site.
   • certbot delete --cert-name sample.docking.org

How To Get a UCSF SSL Cert and Replace LetsEncrypt Certs

1. Create a CSR (Certificate Signing Request)

   openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key

2. File a SSL Ticket Request with UCSF IT here.
3. Create a directory to store the new Certificates
4. Download "Certificate Only" and "Certificate with chain" using wget '<link>' and store in the newly created directory.
5. Remove Let’s Encrypt Cert if it exists

   certbot delete --cert-name domain.com

6. Go to the /etc/httpd/conf.d/<name>-le-ssl.conf of the site and at the bottom replace these with the path of where you put the Certificate

   SSLCertificateFile <new path>
   SSLCertificateKeyFile <new path>
   SSLCertificateChainFile <new path>

What Websites in which Machines Need UCSF Certs

Having and renewing these UCSF Certs for these specific websites keeps UCSF IT satisfied enough to not bother us. At some point, they will ask to replace all our website certificates. When that happens you can request for a Wildcard SSL Cert. As to how that cert gets implemented into Apache, I don't know.