getButterfly Logo getButterfly code wrangling since 2005

Vault Door

Here’s how to move an SSL certificate if you’ve never done it before. There’s a first for everything.

First of all, you need to know that a certificate is issued for your domain, hosted on a certain server. You need to reissue the certificate based on your current server. Assuming you’ve already done it for your current server, here’s how to reissue it:

Generate an RSA private key

Connect to your domain via SSH and enter the following commands:

genrsa -out private.key 2048

A private key named private.key will be created.

Note: you will have to read up on SSH, as this is not the scope of this article.

Generate a CSR

req -new -sha256 -key private.key -out file.csr

Enter your details:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [IE]: 
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (Enter a . and click ENTER)
An optional company name []:(Enter a . and click ENTER)

Use your own name (first name and last name) for Organization Name if you are not affiliated with any organisation.

A certificate signing request named file.csr will be created.

Get details key and request details

You can now use SFTP or WinSCP to get the file contents, but, to keep it low level, I’ll keep using SSH.

Exit OpenSSL module and get the files:

nano private.key

Copy everything to a new file.

Press CTRL+X.

nano file.csr

Copy everything to a new file.

Press CTRL+X.


Check your certificate

Use any of these certificate checkers to verify the validity of your signing request and checking that your details are correct and have no typos:

(Re)issue your certificate

On your certificate provider site, find the reissue option. You will be asked for your CSR, you will be asked to confirm your details, and you are done. In less than 15 minutes, you should receive your new certificate via email.

Add your certificate

On your hosting provider panel, find the certificates section (secure hosting or SSL). You will see 3 or 4 boxes, which you will use to add your RSA private key, your certificate signing request and your .crt certificate. Any of these files can be opened using a standard text editor. The 4th box might request an optional intermediate (CA) certificate. Ignore this box unless you have a really old certificate or your host’s OpenSSL is not up to standards.

You are done!

Note: this guide applies to new certificate generation, as well.

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a reply

Love programming?

Learn about the most amazing things. Get smarter everyday!