Here’s how to move an SSL certificate if you’ve never done it before. There’s a first for everything.
First, you need to know that a certificate is issued for your domain, hosted on a certain server. You need to reissue the certificate based on your current server. Assuming you’ve already done it for your current server, here’s how to reissue it:
Generate an RSA private key
Connect to your domain via SSH and enter the following commands:
openssl
genrsa -out private.key 2048
A private key named private.key
will be created.
Note: you will have to read up on SSH, as this is not the scope of this article.
Generate a CSR
req -new -sha256 -key private.key -out file.csr
Enter your details:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IE]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (Enter a . and click ENTER)
An optional company name []:(Enter a . and click ENTER)
Use your own name (first name and last name) for Organization Name if you are not affiliated with any organization.
A certificate signing request named file.csr
will be created.
Get details key and request details
You can now use SFTP or WinSCP to get the file contents, but, to keep it low level, I’ll keep using SSH.
Exit OpenSSL module and get the files:
exit
nano private.key
Copy everything to a new file.
Press CTRL+X
.
nano file.csr
Copy everything to a new file.
Press CTRL+X
.
exit
Check your certificate
Use any of these certificate checkers to verify the validity of your signing request and checking that your details are correct and have no typos:
(Re)issue your certificate
On your certificate provider site, find the reissue option. You will be asked for your CSR, you will be asked to confirm your details, and you are done. In less than 15 minutes, you should receive your new certificate via email.
Add your certificate
On your hosting provider panel, find the certificates section (secure hosting or SSL). You will see 3 or 4 boxes, which you will use to add your RSA private key, your certificate signing request and your .crt
certificate. Any of these files can be opened using a standard text editor. The 4th box might request an optional intermediate (CA) certificate. Ignore this box unless you have a really old certificate or your host’s OpenSSL is not up to standards.
You are done!
Note: this guide applies to new certificate generation, as well.