19th December 2011
This article relies on having a soon-to-expire SSL certificate on an Apple OSX Server. Ours are running Snow Leopard, and I’m yet to try the whole thing on Lion.
I’ve got to admit, I went through a bit of a rigmarole to do this.
To generate a new certificate, you need a key, and a CSR.
To get the key, you need to export a PKCS12 file from KeychainAccess as ROOT. Yes, Root. Yes, OSX = Toy operating system. No, another admin user won’t cut it. Yes it’s a pain in the arse.
For an imaginary wibblesplat.com:
- sudo /Applications/Utilities/Keychain\ Access/Contents/MacOS/Keychain\ Access
Next, we need to split the PKCS12 archive, to get the old private key out.
[email protected]:~$ cd /tmp
[email protected]:/tmp$ openssl pkcs12 -in wibblesplat.p12 -nocerts -out wibblesplat.key
> Enter Import Password: *****
> MAC verified OK
> Enter PEM pass phrase: *****
> Verifying - Enter PEM pass phrase: *****
Strip the passphrase from the key (otherwise you have to enter it lots when you restart services.)
[email protected]:/tmp$ openssl rsa -in wibblesplat.key -out wibblesplat.unprotected.key
> Enter pass phrase for wibblesplat.key: *****
> writing RSA key
Export the old Certificate from the p12. You might as well.
[email protected]:/tmp$ openssl pkcs12 -in wibblesplat.p12 -clcerts -nokeys -out wibblesplat.old.crt
Generate the Certificate from the CSR from earlier, and the freshly exported key.
[email protected]:/tmp$ openssl x509 -req -days 7300 -in wibblesplat.csr -signkey wibblesplat.unprotected.key -out wibblesplat.new.crt
> Signature ok
> Getting Private key
Now, you go back to Server Admin. Re-select the expired certificate, and hit Gearwheel -> Replace with new signed certificate.
Find the file "wibblesplat.new.crt" in Finder, and drag it into the Server Admin "Replace Screen"
You don’t need to replace the Key, because of the above steps, we used the old key.
Head back over to Keychain Access,
Find the newly updated certificate, and you should find that the new expiry time is somewhere about 20 years from now (7300 days, which is the longest you can set a certificate Valid To date)
Then double click the new certificate, and under the Trust dropdown/treeview thingy, set
"When using this certificate, to Always Trust"
Congrats. You've just replaced an expired certificate with one that won't expire for 20 years (well, near enough.)
Some of these may be partially falsified, but Tom doesn't know either.