Re_keying SSL certs

gistfile1.md

---

Rotating SSL Keys

terms :

SSL - Certificate CSR - Certificate Signing Request The CSR contains your certificate-application information, including your public key. The CSR will also create your public/private key pair used for encrypting and decrypting secure transactions.

Note: To create an SSL certificate, you must first generate and submit a Certificate Signing Request (CSR)

1. make a folder in SSL - make a heartbleed 4/11/14 folder

2. generate the host key - 'host.key'

   openssl genrsa -des3 -out host.key 2048 JG1234qwer

3. generate new self-signed certificate (‘host.csr’) using the host key

   openssl req -new -key host.key -out host.csr

4. answer the questions

   Country Name (2 letter code) [AU]:US

   State or Province Name (full name) [Some-State]:Nevada

   Locality Name (eg, city) []:Las Vegas

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Its On Me

   Organizational Unit Name (eg, section) []:*.itson.me

   Common Name (e.g. server FQDN or YOUR name) []:*.itson.me

   Email Address []:[email protected]

   Please enter the following 'extra' attributes to be sent with your certificate request

   A challenge password []:

   An optional company name []:

5. re-key the cert on GoDaddy

   go to the SSL cert > manage certificates > choose the SSL cert > choose re-key

6. fill out the form

   copy host.csr into the box choose SHA-2 click re-key

7. GoDaddy will notify you via email when the cert is re-keyed

   select your server type - Nginx / or apache 2.x

   download the SSL cert into the folder

   received a 37846528374 folder with 37846528374.crt - new SSL certificate
   gd_bundle-g2-g1.crt - contains SSL issuing certificate chain back to root SSL certificate

8. generate host.pem - combine SSL cert with host key

   cat 37846528374.crt host.key > host.pem

9. remove pass phrase from the public key certificate and write RSA key

   openssl rsa -in host.pem -out nopassphrase.pem give passphrase from step 2 openssl x509 -in host.pem >>nopassphrase.pem

10. open ‘nopassphrase.pem’ in a text editor delete the ‘private key’ section —–BEGIN RSA PRIVATE KEY—– ... —–END RSA PRIVATE KEY—–

11. generate public.pem by combining GoDaddy bundle with nopassphrase.pem

    cat nopassphrase.pem gd_bundle-g2-g1.crt > public.pem

12. remove pass phrase from the private key certificate

    openssl rsa -in host.key -out private.key

13. move public.pem & private.key to root folder of rails app and update certs in terminal

    heroku certs:update public.pem private.key -r heroku

    you will be prompted to type the name of the heroku app to confirm

14. check that the website is working securely

15. remove public.pem & private.key from rails folder

---

Add the SSL endpoint

1. you must enable the Heroku custom domains add-on (If you haven’t done so already)

   heroku addons:add custom_domains:basic

2. add ‘secure.yourdomain.com’ to Heroku’s list of domains

   heroku domains:add secure.yourdomain.com

3. add Heroku’s ‘Hostname SSL’ solution

   heroku addons:add ssl:hostname

https://devcenter.heroku.com/articles/ssl-endpoint < missing steps http://kenyandeveloper.wordpress.com/2012/03/11/setting-up-heroku-hostname-ssl-with-godaddy-ssl-cert/
out of date but has missing steps

Here are the steps for RENEWING a SSL cert

1. download renewed certificate from godaddy , apache version
2. open the zip file in ~/itsonme/ssl/11-22-16 folder and cd into it
3. cat afd832282f6ed1e6.crt gd_bundle-g2-g1.crt > afd832282f6ed1e6_bundle.crt
4. chmod 755 afd832282f6ed1e6_bundle.crt