Thanks for all this, perhaps I need to clarify in one reply. Server is Centos7 running multiple VPS web servers and mailboxes all now set up with SSL. The main httpd.conf file has the server host defined as port 80 and port 443 in a Vhost config file and points to cerets at /etc/letencrypt/live/server.watchet.net
However, entering https://server.watchet.net brings up errors and shows:-
server.watchet.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name server.watchet.net. The certificate expired on 11 March 2017 11:42. The current time is 16 March 2020 10:57.
On a search there are 3 certs at /etc/pki/tls/certs where they are “ca-bundle.crt, ca-bundle.trust.crt, localhost.crt” and these are with the same date as mentioned above. There are also some certs at /etc/pki.tls/private including localhost.key
More research shows these are referred to from /etc/httpd/conf.d/ssl.conf where there are entries
Point SSLCertificateFile at a PEM encoded certificate. If
the certificate is encrypted, then you will be prompted for a
pass phrase. Note that a kill -HUP will prompt again. A new
certificate can be generated using the genkey(1) command.
Server Private Key:
If the key is not combined with the certificate, use this
directive to point at the key file. Keep in mind that if
you’ve both a RSA and a DSA private key you can configure
both in parallel (to also allow the use of DSA ciphers, etc.)
Server Certificate Chain:
Point SSLCertificateChainFile at a file containing the
concatenation of PEM encoded CA certificates which form the
certificate chain for the server certificate. Alternatively
the referenced file can be the same as SSLCertificateFile
when the CA certificates are directly appended to the server
certificate for convinience.
Certificate Authority (CA):
Set the CA certificate verification path where to find CA
certificates for client authentication or alternatively one
huge file containing all of them (file must be PEM encoded)
Sorry, but although a programmer I can not get my head around what is happening! Yes I can change and test the lines in ssl.conf but not sure what I need to point them to!