Most documentation on initial SSL setup is pretty good, but what about a renewal for an existing SSL? I really dont want to fix anything that doesnt need fixing. I cant exactly test this out on a staging site. Do I need to generate a new rsa key for a renewal? I'm using a godaddy wildcard cert on a single Linode server running CentOS/Apache, that hosts about a dozen Atrium sites through Aegir under individual subdomains under a single domain name. Aegir can be unforgiving when missing the small stuff, so just want be sure.
If I need to upload something new, what folders do I put it in? And do I need to manually update all the virtual hosts of my existing Atrium sites, or will this happen automatically??? Here's where I'm at (with deer-n-headlights look).
I paid for the new SSL with godaddy, and downloaded 2 files
1. gd_bundle.crt
2. mydomain.crt
Inside var/aegir/config/ssl.d/godaddy I have the following files:
- gd_bundle.crt (this one has 3 chained certs, but the one I downloaded from godaddy only has 2. Just leave the new one as is and upload it? Thoughts?)
- openssl.crt (what I was planning to do is replace the contents of this file with what I have in mydomain.crt -copy/paste and upload it. Yes?)
- openssl.csr (I alerted godaddy to use my existing csr during activation, so I'll do nothing here. Yes?)
- openssl.key (I suppose this is the key generated the first time. Do I need to regenerate on a renewed SSL? Would rather not…)
- info.txt (this file appears to be a public cert. I don't recall how it was generated, what should I do about this mystery? It starts like so:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2x:67:z3:
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=123456
Validity
Not Before: Apr 16 22:18:16 2012 GMT
Not After : May 3 17:00:47 2013 GMT
Subject: O=*.example.com, OU=Domain Control Validated, CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c0:1d:5a:07:98:42:b1:be:de:b7:20:b5:79:d2:
ae:3e:99:06:e3:4b:a8:fc:59:18:f1:3a:05:aa:50:
94:1f:64:71:9f:ea:90:eb:06:e9:1d:a0:89:00:a8:
Best Answer
You use the CSR that you originally created, send it to your CA, they sign it and send you back a new certificate. The new certificate will use the same key that went with the original CSR.
You should be able to just drop the new certificate in place of the old one without changing anything else and restart your web server.
I've done this many times with Apache, lighttpd, and IIS.
Not being a Godaddy user, I'm not certain what the various files are in your folder there. You can examine them with
openssl x509 -in <file> -textto find out they are.