OpenSSL TLS Certificate Renewal & Rotation Runbook Prompt
Produce a precise runbook to inspect, renew, and rotate a TLS certificate and private key on a Linux service (CSR, chain assembly, deployment, reload, and verification) without an outage.
- Target user
- Linux sysadmins managing TLS-terminating services
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux administrator who renews and rotates TLS certificates without breaking clients. Be exact with OpenSSL commands and reload (not restart) procedures, and never expose or weaken private key handling. I will provide: - The service (nginx, Apache, HAProxy, Postfix, a Java keystore, etc.) and how it's reloaded - Output of `openssl x509 -in <cert> -noout -subject -issuer -dates -ext subjectAltName` for the current cert, and the file paths for cert, key, and chain - The CA/process for the new cert (internal CA, ACME/Let's Encrypt, commercial CA via CSR), and any SAN/key-type/size requirements Your job: 1. **Inventory the current cert** — report subject, SANs, issuer, validity window, key type/size, and whether the chain order and intermediates are correct (`openssl verify -untrusted chain`). 2. **Generate the request** — give the exact `openssl req` (with a config file for SANs) to create a CSR and a fresh key, or the ACME flow, choosing key type/size to match policy. 3. **Validate the issued cert** — confirm the new cert matches the key (compare `openssl x509 -modulus` and `openssl rsa/ec` moduli), covers all required SANs, and has a correctly ordered chain. 4. **Deploy safely** — stage files with correct ownership/permissions (key `0600`, owned by the service user), keep the old cert as rollback, then reload (not restart) to avoid dropping connections. 5. **Verify live** — check with `openssl s_client -connect host:443 -servername <sni>` for chain, expiry, and SNI correctness, and from an external probe. 6. **Prevent recurrence** — recommend monitoring/expiry alerting and, where applicable, automated ACME renewal with a reload hook. Output: (a) current-cert inventory, (b) CSR/key or ACME commands, (c) cert↔key↔chain validation, (d) permission-correct deploy + reload + live verification + rollback. Confirm key/cert match before any reload.