Ssl – Migrating an SSL Certificate from one host to another during site migration

domain-name-systemhttpsmigrationssl

We are helping a new client migrate their site from a previous unreliable host, over to a new host (cloud based). They run an ecom site with an SSL Certificate (GeoTrust SSL). We plan to move their site for them and then just update the D.N.S to the new server.

The issue here is that the current host is not playing ball (with us or the clients). Our client owns the domain name but did not register the ssl certificate. We don't have access to their current server.

Would we be able to get another certificate issued (but keep the old one running)? Does this vary by provider?

Best Answer

Presumably, the current certificate, for which you don't have access to the private key, was issued at least using domain-validation (i.e. an e-mail asking for confirmation should have been e-mailed to the address with which the domain is registered, obtained via whois).

When you say "Our client owns the domain name", the key is to make sure your client receives the e-mails for all the necessary contacts (in particular, that those e-mails won't go to the hosting service you want to leave).

I would suggest the following course of actions (in this order):

Contact the CA that issued the current certificate. Check with their terms and conditions, they might be able to revoke the current certificate and re-issue a new certificate within the same package, sometimes at no extra cost.
Failing that, get a new certificate with another CA (or perhaps the same).

In both cases:

You will have to generate a new certificate request (CSR), which will give you access to the private key. (Ideally, it's something that your client themselves should do, if they have the technical staff to do so.)
You should really contact the current CA and explain the situation. As the legitimate owner of the domain (with which the certificate was presumably validated), your client should be able to have the current certificate revoked. You should effectively treat the current certificate as compromised, to prevent anyone who has the current private key to run that site in parallel (although presumably, you will at least have changed the DNS to your new host).

Regarding your concerns in comments:

Do they communicate among themselves, or are they happy to issue certificates as long as they can be installed within a certain period of time? My worry is that we will go and get another SSL certificate and it will be revoked because the dns will not be switched over for a week to 10 days after we install it on the new server.

The CA will issue a certificate for a host name you control. It's normally their business to check that you control the host name at least (via whois register), but this has nothing to do with the specific DNS entry that resolves this host name into an IP address. You can change the IP address and/or not have the server online: it's not the CA's concern.

Given that our client does own the domain name, can they just go to a different SSL provider and get another certificate? (what would stop me just buying an ssl certificate for some random website in that instance) I'm worried about revoking and issuing a new certificate unless that something that can be done within hours. We can afford a couple of hours downtime overnight, but no more than that.

You can definitely have two different certificates for the same host name from two different CAs at the same time. It generally only makes sense when to you to switch provider, since you can only install one at a time on a given server. There doesn't need to be any downtime at all. (The longest downtime is likely to come from the global propagation of the DNS updates when you switch to the new provider.)

what would stop me just buying an ssl certificate for some random website in that instance?

It's all about who controls the domain (and for EV certs, there's a bit more paperwork too): check your client's whois entry.

Related Solutions

Ssl – Multiple SSL Websites running from 1 IIS Site

Its not possible to use more than one certificate per site in IIS 6 and as far as I am aware the same is true of IIS 7.

If your clients can all use a subdomain of the same domain, you could use a wildcard cert (*.domain.com) to do this. If thats not possible, then a SAN cert would allow multiple domains in one certificate,but if your going to need hundreds of domains, its going to get expensive, and you may reach a limit of how many domains your allowed per cert.

There's nothing to stop you having multiple sites in IIS, all pointing to the same content.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

Ssl – Multiple SSL Websites running from 1 IIS Site

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic