SSL Expiring Soon - Advice on installing new - Knowledgebase

Portal Home > Knowledgebase > Articles Database > SSL Expiring Soon - Advice on installing new

SSL Expiring Soon - Advice on installing new

Posted by kgibbons, 04-02-2015, 02:49 AM
Hello all, We're on a dedicated LAMP VPS, and have had our SSL installed (and properly configured) for the past 10 months. Our 1 year expiration will be coming up within 60 days, and I just wanted to toss out a question as far as correct steps when installing the new certificate. Here are a couple of questions I'm hoping I can get some clarification on: 1. Upon renewal, does a new CSR and/or Private Key need to be created? - Key and CSR were created when original SSL was purchased using the following command: - Within /etc/apache2/sites-available, I do have an active CONF file setup for the SSL equivalent of the website. In that config file, the following lines are present pointing to the correct certificate file & private key file: 2. So I guess my second question is - if no new CSR or Private Key need to be created, do I simply overwrite the previous certificate file with the newly issued file -- and then restart Apache for the new certificate to become active? Any help on this matter would be greatly appreciated.
Posted by WHR-Abner, 04-02-2015, 06:57 AM
Technically, you don't have to generate a new CSR for Apache web server. Get the new cert, replace it and restart Apache to load the new SSL. With that said, most of the CA's recommend to generate a new CSR to avoid any confusion as the old CSR won't work with other web servers.
Posted by Website themes, 04-02-2015, 02:34 PM
You need to create a new CSR (certificate signing request) because sha2 family of hash functions is now a requirement. Previously browsers were fine with sha1 which has been the default for a while now. You can reuse the existing private key but if it's a 2048 bit RSA one it makes sense to generate a fresh 4096 bit one which will be more future proof. So choose one of the two options: 1. New key + csr (recommended): OR 2. New CSR with existing key If you are going with 1. above then you will have to overwrite both the private key and cert. If going with 2 then just the cert like you said. Then restart apache. Make sure you keep the private key private. chmod it to 400 so that only root can read it. Apache will be able to read it because it starts as root before downgrading to www-data.
Posted by RDO Servers, 04-02-2015, 02:36 PM
I agree with @whrss and @Website themes. Although you dont always have to generate a new CSR, it is recomended
Posted by kgibbons, 04-02-2015, 02:41 PM
Awesome, thanks for the very informative replies guys... greatly appreciated! I definitely will go with the New key + csr method, as my current cert is only SHA-1. And it's not all that much trouble to create and use the new Private Key as well, so might as well do both. Thanks again!
Posted by kgibbons, 04-05-2015, 01:17 AM
Website themes (or anyone else following this tread), what designates SHA-2 output files in the #1 scenario above? I'm assuming it must be the "-newkey rsa:4096 -sha256" which outputs a CSR/Key combo which is SHA-2 specific. But just curious for my inquisitive nature what is actually creating the SHA-2 specific output files.
Posted by Website themes, 04-05-2015, 05:25 AM
sha256 switch tells openssl to use sha256sum as the hashing function/digest. You are requesting your CA to use sha256sum as the hashing function when creating a digital signature for inclusion in the SSL certificate that they will give you. So the CSR (certificate signing request) file is hashing function specific. It is specified using the -out switch. The private key file is specified using the -keyout switch and it's not affected by the -sha256 switch. The private key is affected by the -newkey switch where you are specifying the algorithm (RSA) and size (4096 bits).
Posted by kgibbons, 04-05-2015, 08:49 AM
Thank you very much for the clarification! I've gotten lazy over the last bunch of years using cPanel hosting, where I didn't really have to put much thought into such things. Only recently getting back into my own "dedicated" machine (VPS anyway) and server admin work - and always on a quest for more knowledge Thanks so much once again!