Having existing pair of crt/private key how can I generate new private key and new CSR for renewing the SSL certificate?

Question

I need to renew SSL certificate for the first time. I do not have original CSR, but I do have certificate.crt/private.key pair. The system told me I need to specify the same data in CSR to be accepted. It would be nice to also generate new private_new.key in the process.

How can I generate new csr.csr/private_new.key pair using OpenSSL command line utility?

The server in question is webserver/apache2 hosted on VPS

Answer 1

To generate a new key and CSR:

openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -nodes

1. The above assumes you have a working openssl.cnf, but if you do not, use this one and modify the V3 and SAN profiles below (to make this simpler, leave the sophos name as is):

   #-----------------------------------------------------------
                    ##----- SAN Profile -----##
   #-----------------------------------------------------------
   
     # Lines 189 - 193
   
       # IP.1:  If it has a static IP, set it here, else change to 127.0.0.1
                # and delete IP.2
   
       # IP.2:  If it has more than one static IP, set it in IP.2, etc;
                # If the webserver can be accessed via SSH, 127.0.0.1 must
                # remain but can be in IP.3, IP.4, etc. if other IPs exist
   
       # DNS.1: If it has an FQDN, set it
       # DNS.2: If it has more than one FQDN, and/or a local domain name,
                # set it in DNS.2, etc., else remove DNS.2
   
       # If your cert requires OIDs to be specified, you'd specify each
         # in the same fashion as below, adding a line below DNS.2 for
         # either RID.1 or otherName.1 (see lines 159 - 161)
   
   [ alt_sophos ]
   IP.1                    = 192.168.2.1
   IP.2                    = 127.0.0.1
   DNS.1                   = your.fqdn.com
   DNS.2                   = UTM.WRT
   

   #-----------------------------------------------------------
                     ##----- V3 Profile -----##
   #-----------------------------------------------------------
   
     # Lines 331 - 337
       # DO NOT change anything unless you know with 100% certainty one
       # of these parameters needs to be changed
   
   [ v3_sophos ]
   basicConstraints        = critical, CA:FALSE
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid:always, issuer:always
   keyUsage                = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
   extendedKeyUsage        = critical, serverAuth
   subjectAltName          = @alt_sophos
   

2. Create the required files and directories in the directory you will be working in:

   # openssl can error out if these don't exist since they're in the openssl.cnf
   
     # Create openssl.cnf required directories:
       mkdir -p ~/ssltemp/ca ; cd ssltemp ; mkdir cert ; mkdir crl
   
     # Create openssl.cnf required files:
       echo 01 > crl\crlnumber ; echo 00 > serial ; echo > index ; echo > rand
   
     # Copy openssl.cnf from ~
       cp ~/openssl.cnf .
   

   Normally the openssl.cnf is located at /etc/openssl/openssl.cnf, however depending on if you have permission to write to that directory, you can place it at ~/openssl.cnf
3. Create the private key and CSR:

   # This should be done on the server, as the key is not encrypted:
     openssl req -out 'apache.csr' -new -sha512 -newkey rsa:2048 -keyout 'apache.key.pem' -config './openssl.cnf' -extensions v3_sophos -nodes
   

   Do not input the cert's HN, FQDN, or IP into the commonName when it's requested, as none of these belong in the CN per the RFC; instead, name the cert
4. Cleanup:

   rm -rf ~/ssltemp