We are helping a new client migrate their site from a previous unreliable host, over to a new host (cloud based). They run an ecom site with an SSL Certificate (GeoTrust SSL). We plan to move their site for them and then just update the D.N.S to the new server.
The issue here is that the current host is not playing ball (with us or the clients). Our client owns the domain name but did not register the ssl certificate. We don't have access to their current server.
Would we be able to get another certificate issued (but keep the old one running)? Does this vary by provider?
Best Answer
Presumably, the current certificate, for which you don't have access to the private key, was issued at least using domain-validation (i.e. an e-mail asking for confirmation should have been e-mailed to the address with which the domain is registered, obtained via
whois
).When you say "Our client owns the domain name", the key is to make sure your client receives the e-mails for all the necessary contacts (in particular, that those e-mails won't go to the hosting service you want to leave).
I would suggest the following course of actions (in this order):
In both cases:
Regarding your concerns in comments:
The CA will issue a certificate for a host name you control. It's normally their business to check that you control the host name at least (via
whois
register), but this has nothing to do with the specific DNS entry that resolves this host name into an IP address. You can change the IP address and/or not have the server online: it's not the CA's concern.You can definitely have two different certificates for the same host name from two different CAs at the same time. It generally only makes sense when to you to switch provider, since you can only install one at a time on a given server. There doesn't need to be any downtime at all. (The longest downtime is likely to come from the global propagation of the DNS updates when you switch to the new provider.)
It's all about who controls the domain (and for EV certs, there's a bit more paperwork too): check your client's
whois
entry.