If you like this article, go ahead and follow me on Twitter:
Here’s how to move an SSL certificate if you’ve never done it before. There’s a first for everything.
First of all, you need to know that a certificate is issued for your domain, hosted on a certain server. You need to reissue the certificate based on your current server. Assuming you’ve already done it for your current server, here’s how to reissue it:
Generate an RSA private key
Connect to your domain via SSH and enter the following commands:
genrsa -out private.key 2048
A private key named
private.key will be created.
Note: you will have to read up on SSH, as this is not the scope of this article.
Generate a CSR
req -new -sha256 -key private.key -out file.csr
Enter your details:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IE]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) : Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : (Enter a . and click ENTER) An optional company name :(Enter a . and click ENTER)
Use your own name (first name and last name) for Organization Name if you are not affiliated with any organisation.
A certificate signing request named
file.csr will be created.
Get details key and request details
You can now use SFTP or WinSCP to get the file contents, but, to keep it low level, I’ll keep using SSH.
Exit OpenSSL module and get the files:
Copy everything to a new file.
Copy everything to a new file.
Check your certificate
Use any of these certificate checkers to verify the validity of your signing request and checking that your details are correct and have no typos:
(Re)issue your certificate
On your certificate provider site, find the reissue option. You will be asked for your CSR, you will be asked to confirm your details, and you are done. In less than 15 minutes, you should receive your new certificate via email.
Add your certificate
On your hosting provider panel, find the certificates section (secure hosting or SSL). You will see 3 or 4 boxes, which you will use to add your RSA private key, your certificate signing request and your
.crt certificate. Any of these files can be opened using a standard text editor. The 4th box might request an optional intermediate (CA) certificate. Ignore this box unless you have a really old certificate or your host’s OpenSSL is not up to standards.
You are done!
Note: this guide applies to new certificate generation, as well.
Contribute to this article by sharing your opinion on Twitter:
Use SpeedFactor to track your website. It’s simple and reliable.
See how real people experience the speed of your website. Then find (and fix) your web performance problems.