During the Installation, there will be a self-signed SSL-Certificate(v1) generated, based on (in the setup process) specified host name and domain, to enable https-access to the WUI of IPFire via port 444.

If you change the host name and/or domain name afterwards, then the SSL-Certificate has to be rebuilt, otherwise the browser will not only complain about the self-signed certificate, but also about the lack of conformity between the URL and the SSL certificate included.

Generating an SSL certificate is not difficult, if you follow a few things and know, where the SSL certificate is stored.

Step-by-step Instructions

Backup the existing keys and certificates

The server.key, server-ecdsa.key and the corresponding SSL-Certificates are stored in the folder /etc/httpd of a standard IPFire installation.

At first you should backup the existing certificates which you want to replace.

Use the commands:

cp server.key server.key.old &&
cp server.csr server.csr.old &&
cp server.crt server.crt.old

cp server-ecdsa.key server-ecdsa.key.old &&
cp server-ecdsa.csr server-ecdsa.csr.old &&
cp server-ecdsa.crt server-ecdsa.crt.old

to save the existing files:

  • [certificatename].key (private key, essential to create CSR and SSL-Certificate)
  • [certificatename].csr (CSR (Certificate Signing Request), Request-file to build an SSL-Certificate)
  • [certificatename].crt (the SSL-Certificate)

in the current folder (/etc/httpd)

where [certificatename] covers both server and server-ecdsa names.

Create new private keys

All SSL-certificates, which are based on the old server.key or server-ecdsa.key, will be invalid through a new private key!

Use these commands:

openssl genrsa -out server.key 4096
openssl ecparam -genkey -name secp384r1 -noout -out server-ecdsa.key

to create new rsa and ecdsa private keys without a pass phrase.

Generate new CSRs (Certificate Signing Request)

Use these commands:

openssl req -new -key server.key -out server.csr
openssl req -new -key server-ecdsa.key -out server-ecdsa.csr

to create the new rsa and ecdsa CSRs.

It is important, to set the Common name to the correct host name & domain name (e.g. of your IPFire-System

Create new SSL-Certificates

RFC2818 has deprecated falling back to the commonName field since May of 2000. The use of the subjectAltName field has been enforced in Chrome since version 58 (see Chrome 58 deprecations).

OpenSSL accepts x509v3 configuration files to add extended configurations to certificates (see the subjectAltName field for configuration options).

So first , you create config file to add Subject Alternative Name to your certificate

touch v3.ext

Then edit the file and add the following configuration details. Beware your subjectAltName corresponds to the Common name used earlier; you can also add other AltNames

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         =, DNS:*, IP:
issuerAltName          = issuer:copy

Once you got v3 config file ready, proceed to issuing final certificates
Use these commands:

openssl x509 -req -days 999999 -in server.csr -signkey server.key -out server.crt -extfile v3.ext
openssl x509 -req -days 999999 -in server-ecdsa.csr -signkey server-ecdsa.key -out server-ecdsa.crt -extfile v3.ext

to create new self-signed SSL-Certificates.

Restart the Apache web server

Use this command:

/etc/init.d/apache restart

to restart the web server.

If you want to check the new certificate, just start your browser, access the WUI of your IPFire via https://.:444 and check the certificate details with a click on the lock icon in the URL-bar of your browser.