0

I installed OpenSSL on CentOS. I made a small client program which handshakes with server. Server provides its certificate during handshake. I've to verify that certificate. In my code, I set flag "SSL_VERIFY_PEER" and set path to /etc/pki/tls. In "tls" directory, there is "cert.pem" file which openssl uses for certificate verification. When I verify "cert.pem" using openssl verify command, it says this file is expired. When I run my program, SSL handshake always fail. My question is how can I get updated cert.pem file or is there a way to update that file. I'm new to OpenSSL. So, I'm little confused.

Ansari
  • 33
  • 4
  • You may find [**How to Renew Certificate with OpenSSL**](http://mindref.blogspot.com/2012/02/openssl-renew-certificate.html) useful. There is always [**OpenSSL Command-Line HOWTO**](https://www.madboa.com/geek/openssl/). It will depend whether you have the original key or signing request available. If so, you can renew the certificate easily. If not, you will probably need to create a new certificate entirely. See: [**How to renew an expired Apache...**](https://support.pivotal.io/hc/en-us/articles/202653388-How-to-renew-an-expired-Apache-Web-Server-self-signed-certificate-using-openssl-tool) – David C. Rankin Sep 13 '15 at 05:28
  • See also: [**How to renew a self-signed openssl PEM certificate**](http://stackoverflow.com/questions/25620685/how-to-renew-a-self-signed-openssl-pem-certificate) – David C. Rankin Sep 13 '15 at 05:37
  • When I run OpenSSL revoke command on "cert.pem" (file in /etc/pki/tls/), it says "Error opening CA private key /etc/pki/CA/private/cakey.pem". There is no "cakey.pem" in private folder. Is there any way I get valid cert.pem file so that my SSL proxy client works with any HTTPS server like google etc. – Ansari Sep 14 '15 at 05:45
  • I can't recall which, but I think it was the last howto I linked above that shows how to extract the private key from the certificate. If that won't work for you, you might as well save your existing key to a new filename (say `cert.pem.sav`) and simply generate a new self-signed certificate for your server. – David C. Rankin Sep 14 '15 at 05:58
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Sep 16 '15 at 01:22

0 Answers0