Replacing SSL Cert Apache

apache-2.2centos6ssl-certificate

I am replacing our SSL cert on our Apache web server.

This is the first time I have done this, with my 2 colleagues being on holiday, and an urgent need to replace our SSL cert(due to the openssl bug), Would someone mind giving me some pointers.

I have read up but just want to double check the following procedure is correct

I have generated a new private key, and CSR. Have sent the CSR to the CA, they have now issued me with a new crt and ca-bundle file.

Do I simply replace the private key,the new crt and the new ca-bundle and restart httpd?

Are there any other tasks that need to be carried out before doing this?

Best Answer

You've already done the hard work. And you're correct in that you need to replace BOTH the private key as well as the certs that have been re-issued to you.

All you need to do now is replace the old key files with the new crt and ca-bundle.

And yes, you DO have to restart Apache (httpd). If you're unsure of having it take or not, consider rebooting the entire machine too.

Of course, all of this is a moot point if you didn't patch your system first. So, steps in the proper order would be:

  • Patch your System (install fixed version of OpenSSL)
  • Restart Apache
  • Generate new Private Key
  • Obtain the new CRT from the CA
  • Replace your certificates
  • Restart Apache (or better yet, restart your whole server)
Related Topic