- Generate a new certificate signing request (.csr) and key file (.key)
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
where server is the name of your server
- Fill in the details but you can leave email, challenge password and optional company name blank. Please note: The following characters cannot be accepted: < > ~ ! @ # $ % ^ / \ ( ) ?.,&
- Chek the contents of the csr: https://www.sslshopper.com/csr-decoder.html or enter this in the SSH console:
openssl req -in server.csr -noout -text
(again where server.csr is the name of the newly genererated csr file)
- Submit csr to commercial ssl provider.
- Copy the new certificate information into the correct location for the host. You may need to look at the virtual host settings or apache config file to see where an existing one is. * See below
- Do the same for the intermediate certificate file if there is one.
- Move (or copy) the key
- Change the apache (or virtual host) config file to point at the new certificates.
- Restart the webserver. For Debian this is “service apache2 restart”. For Centos this would be “service httpd restart” or “systemctl restart httpd” for newer Centos versions.
- Make sure the server restarts – any typos in the config will stop it from running – you will be notified.
Country Codes: https://www.digicert.com/ssl-certificate-country-codes.htm
Check they are working correctly: https://www.sslshopper.com/ssl-checker.html