OpenSSL How To Renew A Certificate

In the video below, we show you how to renew a SSL/TLS certificate created in OpenSSL

Using OpenSSL as a Certificate Authority is a manual process and at some point a certificate will expire which will need to be replaced

When that happens a web browser may refuse to let you access the server, so it’s best to renew it before it expires

Steps Taken

1. Revoke Existing Certificate
   You can’t extend the expiry date of an existing certificate
   Instead, you have to create a new one
   But as the details used are the same, we'’re basically renewing it
   Now, if you already have the CSR and SAN config files in the CA, you can use these to make the process easier, but OpenSSL will complain
   Because even if a certificate has expired, it won’t let you create a certificate if one already exists in the database for that common name
   So the first thing we have to do is to revoke the existing certificate, for example
   openssl ca -revoke certs/testserver.crt -config root-ca.conf

2. Create New Certificate
   Now you can create a new certificate for your server
   For example
   openssl ca -config root-ca.conf -notext -in csr/testserver.csr -out certs/testserver.crt -extensions req_ext -extfile csr/testserver-csr.conf
   In other words, we run the exact same command that was used to create the orignal certificate
   TIP: You can check a certificate contains the Subject Alternative Name details before using a command like this
   openssl x509 -text -noout -in certs/testserver.crt | grep -A 1 “Subject Alt”

3. Replace Certificate
   Finally, you should replace the certificate on the server with this new one

Sharing is caring!