SSL Certificate Renewal Checklist

The SSL certificate renewal process is arcane, nuanced, and easy to forget or mess up. To make sure you don't make a mistake with it (and end up putting your site's security at risk), follow the steps in this checklist.

This checklist is the exact process that Cameron, the Process Street CTO, uses to renew our site's SSL certificates, including some deprecated steps (labeled) for reference.

From the command line:

openssl req -nodes -newkey rsa:2048 -nodes -keyout process-st-$(date +"%b-%Y").key -out process-st-$(date +"%b-%Y").csr -subj "/C=US/ST=CA/L=San Francisco/O=Process Street/OU=IT/CN=*.process.st"

This will generate two files (month and year may be different):

• process-st-Sep-2014.csr
• process-st-Sep-2014.key

The .key file is the private key, DO NOT send it over any unencrypted channel (such as email or Skype).

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1/19/csr-generation-using-openssl-apache-wmod_ssl-nginx-os-x

Send the .csr file to Namecheap so they can generate the SSL certificate.

They will ask for an approver email, pick [email protected]. An email will come to that address with instructions on how to approve it (do an explicit search for [email protected], just in case it's auto-archived). Once that is done, [email protected] will receive a .zip file with the certificate.

Go to the Load Balancers section, select a load balancer, click "Actions" then "Edit listeners".

For the HTTPS listener, select Change for the SSL Certificate. Choose "Upload a new SSL Certificate".

Name the new certificate "PositiveSSL2-MMMYYYY" where MMM and YYYY are the month and year.

In the "Private Key" field, put the contents of process-st-MMM-YYYY.key.

In the "Public Key Certificate" field, put the contents of STAR_process_st.crt.

In the "Certificate Chain" field, put the contents of process-st-MMM-YYYY-apache-bundle.crt (generated in the Update Linode certificate step).

Remember in all these steps to have NO trailing newlines.

Once done, click Save, then Save again to make them live.

Do this for both load balancers.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html

This step is no longer necessary as we don't use Linode anymore.

Since our Linode uses Apache, we need 3 things:

1. The process-st-MMM-YYYY.key generated earlier.
2. The STAR_process_st.crt file from the .zip file sent from Comodo/Namecheap.
3. A newly generated file called process-st-MMM-YYYY-apache-bundle.crt.

To generate this bundle, run the following command in the shell:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > process-st-$(date +"%b-%Y")-apache-bundle.crt

Upload these 3 files to the Linode site. REMEMBER to use SFTP or SCP, or else the private key could be compromised!

After uploading them, place the .key file in the /etc/ssl/private and place the .crt files in /etc/ssl/certs.

Next, open up /etc/apache2/sites-available/default-ssl.conf and update the lines:

SSLCertificateFile /etc/ssl/certs/STAR_process_st.crt
SSLCertificateKeyFile /etc/ssl/private/process-st-MMM-YYYY.key
SSLCertificateChainFile /etc/ssl/certs/process-st-MMM-YYYY-apache-bundle.crt

Then restart Apache. Donezo.

This step is no longer necessary as the ELB will handle SSL.

Certificates are located in these directories:

• /etc/pki/tls/certs/process.st-MMM-YYYY-nginx-bundle.crt

• /etc/pki/tls/private/process-st-MMM-YYYY.key

Add the new .key file (be sure to copy with scp!) you generated before to private directory.

To create the bundle, you need to run the following command:

cat STAR_process_st.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > process-st-$(date +"%b-%Y")-nginx-bundle.crt

Once the bundle is created, copy it to the directory above.

Also be sure to update /etc/nginx/nginx.conf so that the keys...

• ssl_certificate 
• ssl_certificate_key

...point to the correct MMM-YYYY values (i.e. Sep-2014).

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/789/37/certificate-installation-nginx

This step is no longer necessary as the ELB will handle SSL.

Generate p12 certificate

openssl pkcs12 -export -in STAR_process_st.crt -inkey process-st-MMM-YYYY.key > process-st-$(date +"%b-%Y").p12

It will ask for a password. Set it to: abcdef.

Generate Java Keystore using the p12 certificate

keytool -importkeystore -srckeystore process-st-MMM-YYYY.p12 -destkeystore process.st.jks -srcstoretype pkcs12

It will ask for a password. Use the same one as you used in the previous step. In the end you will enter the same password 3 times (2 times for the .jks password, 1 time for p12 password).

Import all certificates in the trust chain

keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore process.st.jks

keytool -import -trustcacerts -alias COMODORSAAddTrustCA -file COMODORSAAddTrustCA.crt -keystore process.st.jks  

keytool -import -trustcacerts -alias COMODORSADomainValidationSecureServerCA -file COMODORSADomainValidationSecureServerCA.crt -keystore process.st.jks

http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204

• Comodo - CSR Generation: Using OpenSSL (Apache w/mod_ssl, NGINX, OS X)
• Amazon - Replace the SSL Certificate for Your Classic Load Balancer
• Process Street - The 11 Agile Processes We Use to Run an Efficient Software Team

• Daily Standup Meeting Checklist
• Sprint Turnover Process
• Sprint Retrospective Process
• Sprint Estimation Process
• Sprint Planning Process
• Scrum Project Management
• Git Workflow
• User Story Template
• Software Deployment
• Software Testing Tutorial
• Software Debugging Process
• GitHub Pull Request Procedure
• Pull Request Review Failed Procedure