Backup Files
Before attempting renew an SSL certificate, back up all your private and public keys to a secure folder.
Generate a New CSR
With Apache it is possible to renew the SSL Certificate with the original CSR, however, most sites recommend creating a new CSR.
Most sites recommend creating a new CSR because creating a new certificate with an identical DN will not invalidate the previous certificate.
Renewing Certificate
In the case of not being able to replace a certificate, instructions are provided by the CA you recieved your certificate from. As an example StartSSL requires you to login to the account that created the certificate and provides your account the option to renew the certificate.
Private Key
You can use your existing private key to generate the CSR or create a new one.
| Info |
|---|
There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is not necessary to create a new private key depending on which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) many sites like sslshopper.com recommend that a new private key be created as it avoids confusion and is simplest. |
Condensed instructions are as follows:
Gather all required information from the existing certificate.
| Warning | ||
|---|---|---|
| ||
Explain how here. |
Run openssl to generate a new server private key
| Code Block |
|---|
openssl genrsa -out www.example.com_server.key 2048 |
Generate a CSR with the private key
| Code Block |
|---|
openssl req -new -key www.example.com_server.key -out www.example.com_server.csr |
Submit the CSR to your root CA to be signed.
Refer to creating a new CSR for more details.