Generate an SSL-Certificate manually


During the Installation, there will be a self-signed SSL-Certificate(v1) generated, based on (in the setup process) specified host name and domain, to enable https-access to the WUI of IPFire via port 444.

If you change the host name and/or domain name afterwards, then the SSL-Certificate has to be rebuilt, otherwise the browser will not only complain about the self-signed certificate, but also about the lack of conformity between the URL and the SSL certificate included.

Generating an SSL certificate is not difficult, if you follow a few things and know, where the SSL certificate is stored.

Step-by-step Instructions

Backup the existing keys and certificates

The server.key, server-ecdsa.key and the corresponding SSL-Certificates are stored in the folder /etc/httpd of a standard IPFire installation.

At first you should backup the existing certificates which you want to replace.

Use the commands:

cp server.key server.key.old &&
cp server.csr server.csr.old &&
cp server.crt server.crt.old

cp server-ecdsa.key server-ecdsa.key.old &&
cp server-ecdsa.csr server-ecdsa.csr.old &&
cp server-ecdsa.crt server-ecdsa.crt.old

to save the existing files:

  • [certificatename].key (private key, essential to create CSR and SSL-Certificate)
  • [certificatename].csr (CSR (Certificate Signing Request), Request-file to build an SSL-Certificate)
  • [certificatename].crt (the SSL-Certificate)

in the current folder (/etc/httpd)

where [certificatename] covers both server and server-ecdsa names.

Create new private keys

All SSL-certificates, which are based on the old server.key or server-ecdsa.key, will be invalid through a new private key!

Use these commands:

openssl genrsa -out server.key 4096
openssl ecparam -genkey -name secp384r1 -noout -out server-ecdsa.key

to create new rsa and ecdsa private keys without a pass phrase.

Generate new CSRs (Certificate Signing Request)

Use these commands:

openssl req -new -key server.key -out server.csr
openssl req -new -key server-ecdsa.key -out server-ecdsa.csr

to create the new rsa and ecdsa CSRs.

It is important, to set the Common name to the correct host name & domain name (e.g. of your IPFire-System

Create new SSL-Certificates

Use these commands:

openssl x509 -req -days 999999 -in server.csr -signkey server.key -out server.crt
openssl x509 -req -days 999999 -in server-ecdsa.csr -signkey server-ecdsa.key -out server-ecdsa.crt

to create new self-signed SSL-Certificates.

Restart the Apache web server

Use this command:

/etc/init.d/apache restart

to restart the web server.

If you want to check the new certificate, just start your browser, access the WUI of your IPFire via https://.:444 and check the certificate details with a click on the lock icon in the URL-bar of your browser.

Edit Page ‐ Yes, you can edit!

Older Revisions • October 6, 2020 at 1:30 pm • Adolf Belka