April 8, 2014
Because of the Heartbleed vulnerability in OpenSSL, I'm treating all of my private SSL keys as compromised and regenerating them. Fortunately, certificate authorities will reissue a certificate for free that signs a new key and is valid for the remaining time on the original certificate.
Unfortunately, using the openssl commands by hand to rekey dozens of SSL certificates is really annoying and is not my idea of a good time. So, I wrote a shell script called openssl-rekey to automate the process. openssl-rekey takes any number of certificate files as arguments, and for each one, generates a new private key of the same length as the original key, and a new CSR with the same common name as the original cert.
If you have a directory full of certificates, it's easy to run openssl-rekey on all of them with find and xargs:
$ find -name '*.crt' -print0 | xargs -0 /path/to/openssl-rekey
Once you've done this, you just need to submit the .csr files to your certificate authority, and then install the new .key and .crt files on your servers.
By the way, if you're like me and hate dealing with openssl commands
and cumbersome certificate authority websites, you should check out my
side project, SSLMate, which
makes buying certificates as easy as running
sslmate buy www.example.com
2 and reissuing certificates as easy as running
reissue www.example.com. I was able to reissue each of my SSLMate
certs in under a minute. As my old certs expire I'm replacing them with
SSLMate certs, and that cannot happen soon enough.
Posted on 2014-04-08 at 15:17:57 UTC | Comments