This is mainly from an EDF/NSD point of view.
When the certificate needs to be replaced:
Create new CSR file
We create a Certificate request (CSR) file. OpenSSL CSR Creation for Apache SSL or we can use their OpenSSL CSR Wizard
To create it, we need some information from EDF:
The information we require is below:
Country Code: GB
State or Province: London
Locality Name: Fitzrovia
Organisation Name: EDF Energy Limited
Organisational Unit Name: EDF Energy Limited
Common Name: newnuclearsuppliers.edfenergy.com
Email Address: WE NEED A CURRENT EDF EMAIL ADDRESS
The CSR file is given to EDF to purchase the new SSL certificate.
Any example command would be:
openssl req -new -newkey rsa:2048 -nodes -out newnuclearsuppliers_edfenergy_com.csr -keyout newnuclearsuppliers_edfenergy_com.key -subj "/emailAddress=postmaster@edf-energy.com/C=GB/ST=London/L=Fitzrovia/O=EDF Energy Limited/OU=EDF Energy Limited/CN=newnuclearsuppliers.edfenergy.com"
With email address included:
openssl req -new -newkey rsa:2048 -nodes -out newnuclearsuppliers.edfenergy.com.csr -keyout newnuclearsuppliers.edfenergy.com.key -subj "/emailAddress=postmaster@edf-energy.com/C=GB/ST=England/L=England/O=EDF Energy PLC/OU=EDF Energy/CN=newnuclearsuppliers.edfenergy.com"
Install Certificates (OLD)
We need to replace 2 files:
- intermediate.crt
- newnuclearsuppliers.edfenergy.com.crt
Both are stored on the server in the folder /etc/webmin.
EDF will provide the content of the file newnuclearsuppliers.edfenergy.com.crt. We need to get the contents for intermediate.crt.
Either manually or by providing the confirmation email and we should be able to download them from where they purchased them from.
For example:
Get Intermediate CA here Or doing it the long way:
- Our product is “Managed PKI for SSL”, we need to get the Symantec Intermediate CA Certificates
Install Certificates (NEW)
Apache SSL Certificate Installation
We need to replace 6 files:
From EDF:
- AddTrustExternalCARoot.crt
- newnuclearsuppliers.edfenergy.com.crt
- TrustedSecureCertificateAuthority5.crt
- USERTrustRSAAddTrustCA.crt
Created by SWS from creation process:
- newnuclearsuppliers.edfenergy.com.csr
- newnuclearsuppliers.edfenergy.com.key
Files are stored on the server in the folder /etc/httpd/ssl
config is in this file: /etc/httpd/conf.d/https.conf
SSLCertificateFile “/etc/httpd/ssl/newnuclearsuppliers.edfenergy.com.crt” SSLCertificateKeyFile “/etc/httpd/ssl/newnuclearsuppliers.edfenergy.com.key” SSLCertificateChainFile /etc/httpd/ssl/TrustedSecureCertificateAuthority5.crt
Test and restart apache on server
After these files are replaced, test and then restart apache with these commands:
apachectl configtest
apachectl restart
To test the certificate:
- openssl s_client -connect newnuclearsuppliers.edfenergy.com:443
or