cloud engineer
by Ulysses
How to list SSL certificates in AWS Certificate Manager.
aws acm list-certificates |
aws acm list-certificates
Result
{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "DomainName": "mydomain.com" } ] } |
{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "DomainName": "mydomain.com" } ] }
Describe details about the certificate.
aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --region us-east-1 \ --profile my-profile |
aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --region us-east-1 \ --profile my-profile
by Ulysses
Here’s where the Wiki keeps its SSL certificate keys.
/etc/pki/tls/certs/yourdomain.crt /etc/pki/tls/private/yourdomain.key |
/etc/pki/tls/certs/yourdomain.crt /etc/pki/tls/private/yourdomain.key
In some cases, SSL needs to be converted so it doesn’t prompt you for a password if you restart Apache.
Conversion
openssl rsa -in /etc/pki/tls/private/yourdomain.key.new -out /etc/pki/tls/private/yourdomain.key.new_no_pass |
openssl rsa -in /etc/pki/tls/private/yourdomain.key.new -out /etc/pki/tls/private/yourdomain.key.new_no_pass
by Ulysses
Here’s the openssl command to find out if a cert is expired.
$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates |
$ openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2> /dev/null | openssl x509 -noout -dates
Result
notBefore=Apr 9 00:00:00 2020 GMT notAfter=Apr 9 23:59:59 2022 GMT |
notBefore=Apr 9 00:00:00 2020 GMT notAfter=Apr 9 23:59:59 2022 GMT
by Ulysses
Occassionally, AWS requires validation of your domain via email message. Here’s the command to send a request.
aws acm resend-validation-email \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --domain yourdomain.com \ --validation-domain yourdomain.com aws acm resend-validation-email \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --domain www.yourdomain.com \ --validation-domain yourdomain.com |
aws acm resend-validation-email \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --domain yourdomain.com \ --validation-domain yourdomain.com aws acm resend-validation-email \ --certificate-arn arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \ --domain www.yourdomain.com \ --validation-domain yourdomain.com
You will need acm:ResendValidationEmail permission to run the command.
by Ulysses
gcloud compute ssl-certificates create certificate-name \ --description="ssl cert for domain-name.com" \ --domains=domain-name.com \ --certificate=certificate-file \ --private-key=private-key \ --region=us-central1-c \ --global |
gcloud compute ssl-certificates create certificate-name \ --description="ssl cert for domain-name.com" \ --domains=domain-name.com \ --certificate=certificate-file \ --private-key=private-key \ --region=us-central1-c \ --global
by Ulysses
You can register multiple domains to a single SSL certificate. This is particularly useful if you are hosting multiple domains on one server. This command adds more domains to your existing certificate.
certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com |
certbot --expand -d existing.com -d newdomain1.com -d newdomain2.com
Check if the domains were added.
certbot certificates |
certbot certificates
Certbot certificates are valid for 90 days, but they automatically renew themselves if expiration is less than 30 days. If you need to renew manually for some odd reason, you can run this command. You can also perform a dry-run before renewing.
certbot renew
certbot renew --dry-run |
certbot renew certbot renew --dry-run
by Ulysses
Here’s how to create a regional SSL Certificate.
gcloud compute ssl-certificates create my-ssl-cert \ --description "describe ssl certificate" \ --domains=domain1.com,domain2.com \ --certificate=cert.pem \ --private-key=private.key \ --region=us-central1 |
gcloud compute ssl-certificates create my-ssl-cert \ --description "describe ssl certificate" \ --domains=domain1.com,domain2.com \ --certificate=cert.pem \ --private-key=private.key \ --region=us-central1
List the SSL certificates.
gcloud compute ssl-certificates list --project=project-id |
gcloud compute ssl-certificates list --project=project-id
Describe the SSL certificate.
gcloud compute ssl-certificates describe my-ssl-cert \ --region=us-central1 \ --project=project-id |
gcloud compute ssl-certificates describe my-ssl-cert \ --region=us-central1 \ --project=project-id
Delete SSL certificate.
gcloud compute ssl-certificates delete my-ssl-cert \ --region=us-central1 \ --project=project-id |
gcloud compute ssl-certificates delete my-ssl-cert \ --region=us-central1 \ --project=project-id
by Ulysses
Here’s how to update AWS Certificate Manager SSL Cert.
#!/bin/bash cd /etc/letsencrypt/live/domain.com/ arn='arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' aws acm import-certificate \ --certificate fileb://cert.pem \ --certificate-chain fileb://chain.pem \ --private-key fileb://privkey.pem \ --certificate-arn $arn \ --region us-east-1 |
#!/bin/bash cd /etc/letsencrypt/live/domain.com/ arn='arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' aws acm import-certificate \ --certificate fileb://cert.pem \ --certificate-chain fileb://chain.pem \ --private-key fileb://privkey.pem \ --certificate-arn $arn \ --region us-east-1
You can run this every time certbot updates your certificate. Or you can schedule it in crontab.