The logistics of moving an SSL certificate to a new server
So here is my situation:
I need to move a medium sized bank's website from Network Solutions to my new VPS server here on Linode. Which includes moving/reissuing an SSL certificate and trying to make the downtime for the website as short as possible.
Getting the web server stuff up and running was quite easy thanks to the Linode documentation. So I have a complete copy of the bank website up and running on Linode right now (accessible by IP and not domain right now), the part that is giving me stress is figuring out the exact steps to get the SSL certificate installed and switching servers with as little downtime as possible.
So as far as I can tell the order I need to do this in is:
* 1. Change domain to point to Linode name servers (which will leave the fresh Linode copy of the site SSL-less for a period, which is less than ideal, but I see no way around this)
2\. Initiate SSL reissue and wait for it to go through (which according to NS can take from 1 to 5 days to complete)
3\. Upload SSL files to server and properly configure the virtualhost config file for the site to point to the right certificate files.</list>
Now, if anyone has any tips for making steps 1 and 2 go as smooth as possible, I would love to hear them. Should I pull the site down, replacing it with a "Down for Maintenance" message for the couple days this might take? But having the site completely inaccessible for the time it might take for this to all go down might not be a good idea.
The next thing that is tripping me up is the files that Network Solutions provides seems to differ from what other places do. they provide 4 files with the following names:
* AddTrustExternalCARoot.crt
NetworkSolutions_CA.crt
STAR.DOMAINNAME.COM.crt
UTNAddTrustServer_CA.crt</list>
Now according to the Linode tutorial, I need to point to 3 files in my Apache virtual host file:
* SSLCertificateFile /etc/apache2/ssl/
SSLCertificateKeyFile /etc/apache2/ssl/<url url="http://www.mydomain.com.key">www.mydomain.com.key</url>
SSLCACertificateFile /etc/apache2/ssl/verisign.cer</list>
The SSLCertificateFile is easy enough, that will be the STAR.DOMAINNAME.COM.crt file NS provides.
The SSLCertificateKeyFile is the key file I generate along with the CSR file, so that seems simple too.
The SSLCACertificateFile file I am assuming is the NetworkSolutions_CA.crt file, but they have different file extensions which is throwing me off. Are CER and CRT files interchangeable?
And what is with the other 2 files they are providing (AddTrustExternalCARoot.crt and UTNAddTrustServer_CA.crt)? Do I need those for anything?
Any help or advice would be much appreciated!
2 Replies
I was able to get everything all worked out over the last two days and the move went fairly smoothly.
Once I figured out I had to concatenate 3 of those files together (cat AddTrustExternalCARoot.crt NetworkSolutionsCA.crt UTNAddTrustServerCA.crt >> ca_bundle.crt), everything else fell into place.
Wanted to leave something about the file concatenation in case anyone else has this issue!