Renewing SSL certificates

I switched all my websites to HTTPS around September 2013, when Eric Mill published a didactic post on his blog explaining how to setup HTTPS certificates on one's website for free. As others, I believe we need to make surveillance as expensive as possible. Making privacy the default on all my websites is a small contribution in this direction: for privacy not to be suspicious, privacy should be on by default over the Internet.

Update: switch to Let's Encrypt

These instructions are out-of-date now that software like Certbot, the certification bot from Let's Encrypt, are available. I just did it and was very pleased to see that the process is smooth and much simpler than what it used to be. Certbot basically automates the instructions below in a neat way. It also automates the renewal process, installing a crontab so that manual action is not needed any more.

In a previous version of this post, I also gave details on how to interact with a Certificate Authority (CA) known as StartSSL. Since then, this CA has been distrusted by Google and its certificates will raise a security error in Chrome. If you had applied my previous instructions, the quickest update for you is most likely to switch to Let's Encrypt.

Previous instructions

Doing the configuration is one thing. Later on comes the renewal of your certificates. At this point, having forgotten most of the procedure, I needed to check out Eric Mill's post again to do it again. After a few iterations of this, I realized this step can be mostly automated, so I compiled the useful part into the following script:

#!/bin/bash

PRIVATE=private.key
DECRYPTED=decrypted.key
REQUEST=request.csr
CERTIFICATE=bundle.crt

if [ ! -f ${PRIVATE} ]; then
    openssl genrsa -aes256 -out ${PRIVATE} 4096
fi

if [ ! -f ${DECRYPTED} ]; then
    openssl rsa -in ${PRIVATE} -out ${DECRYPTED}
fi

if [ ! -f ${REQUEST} ]; then
    openssl req -new -sha256 -key ${DECRYPTED} -out ${REQUEST}
fi

if [ ! -f ${CERTIFICATE} ]; then
    echo "Ready to send the certificate request:"
    echo ""
    cat ${REQUEST}
    echo ""
    echo "Write final certificate in ${CERTIFICATE}"
else
    echo "Final certificate ${CERTIFICATE} already exists"
fi

Next, go through the validation process of your CA to generate a certificate file (filename extension: .crt). Copy this file as bundle.crt in the same directory as the script above. Finally, check that your nginx configuration uses the correct file names. With the settings above, it should look like:

server {
    listen 443 ssl;
    server_name your-domain;
    ssl_certificate /path/to/script/directory/bundle.crt;
    ssl_certificate_key /path/to/script/directory/decrypted.key;
    [...]
}

Be sure to restart the server (sudo service nginx restart) to complete the key renewal.

Pages of this website are under the CC-BY 4.0 license.