Renewing SSL certs yearly

Go here to register for a new cert: https://wustl.service-now.com/sp?id=sc_cat_item&sys_id=b53b9d461b7e0c1019b7ecadee4bcb1c

Generate a new CSR for WUIT (Change N to year!):

openssl req -new -newkey rsa:2048 -nodes -keyout gtac-lims-N.key -out gtac-lims-N.csr

Common Name = [servername].wustl.edu Organization Name = Washington University in St. Louis (must be exact) Locality = St. Louis (must be exact) State = Missouri (must be exact) Country = US (must be exact)

email: [email protected]

SSL challenge pwd: ********** (see private notes)

open up the cert in a browser and copy/paste the values into the new request

Settings for WUIT request:

Wildcard request: No SSL certificate hosted by 3rd-party vendor: No

---

For using SSL certs w/ the connection you'll need to define environment variables PGSSLCERT and PGSSLKEY pointing to their respective files for the user account running the ESP application. store in .env

new certs installed on gtac-lims-2.wucon.wustl.edu.

• use cert from WUIT listed as Certificate only, PEM encoded - this will be for the 'bundle' cert file. you might have get more than one file, use the file that is the longest.
• get gtac-mgi-lims_wustl_edu_interm.cer file as well

You may need to move the very bottom block of the cert to the top (for the bundle file)!

https://stackoverflow.com/questions/26191463/ssl-error0b080074x509-certificate-routinesx509-check-private-keykey-values/28894191#28894191

---

files listed in: /etc/nginx/conf.d

update via nano:

ssl_certificates

• /etc/pki/tls/certs/gtac-mgi-lims_wustl_edu_bundle.cer
• /etc/pki/tls/certs/gtac-mgi-lims_wustl_edu_interm.cer

ssl_certificate_key

• /etc/pki/tls/private/gtac-mgi-lims.key

---

update certs and restart nginx: sudo systemctl restart nginx