Self-Signed SSL Certificate / Certbot
Jump to navigation
Jump to search
Introduction
We self sign our SSL Certificates for our websites proxied at these machines:
- files2
- vav
- bksmailman
How To Self-Sign A Website(s)
Assuming that you are already running the software/app on httpd then we can begin.
- The command is:
certbot --apache <options>
- Usually, I just use the '-d' domain flag:
certbot --apache -d sample.docking.org
How To Remove SSL Cert From A Domain
- You should only do this if UCSF IT gave you an SSL Cert to use or you are migrating a domain name to another site.
- certbot delete --cert-name sample.docking.org
How To Get a UCSF SSL Cert and Replace LetsEncrypt Certs
- Create a CSR (Certificate Signing Request)
openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key
- File a SSL Ticket Request with UCSF IT here.
- Create a directory to store the new Certificates
- Download "Certificate Only" and "Certificate with chain" using wget '<link>' and store in the newly created directory.
- Remove Let’s Encrypt Cert if it exists
certbot delete --cert-name domain.com
- Go to the /etc/httpd/conf.d/<name>-le-ssl.conf of the site and at the bottom replace these with the path of where you put the Certificate
SSLCertificateFile <new path> SSLCertificateKeyFile <new path> SSLCertificateChainFile <new path>
What Websites in which Machines Need UCSF Certs
Having and renewing these UCSF Certs for these specific websites keeps UCSF IT satisfied enough to not bother us. At some point, they will ask to replace all our website certificates. When that happens you can request for a Wildcard SSL Cert. As to how that cert gets implemented into Apache, I don't know.
| Website | Machine |
|---|---|
| irwinlab1.ucsf.edu | files2 |
| irwinlab2.ucsf.edu | epyc |
| vav.compbio.ucsf.edu | vav |