How to install a new HTTPS Certificate

From Mass Pirate Wiki
Jump to navigationJump to search

Our certificate vendor delivers certificates via email. The email message typically contains two certificates (in the body of the message).

  1. Our website certificate
  2. The vendor's intermediate certificate

Save the website certificate to a file like "masspirates.org.crt.YYYY" (where YYYY is the year where the certificate was issued). If that file already exists on the server, use YYYYMMDD, or similar to make the file name unique.

Save the vendor's intermediate certificate to a file like "masspirates.org.ca.YYYY".

Scp the files to our web server. They go in the directory ~/masspirates.org/include/cert.

It's a good idea to verify the new certificate before installing. First, make sure that the new certificate's modulus matches the key modulus.

 $ openssl x509 -modulus -in masspirates.org.crt.2015 -noout | openssl md5
 (stdin)= d3b07384d113edec49eaa6238ad5ff00
 $ openssl rsa -modulus -in masspirates.org.ssls.key -noout | openssl md5
 (stdin)= d3b07384d113edec49eaa6238ad5ff00

Note that the two stdin lines match. That means the private key and certificate have the same modulus. If the moduli don't match, then you've got the wrong certificate, and it won't work.

(Note: the md5 sums above are illustrative. They're not the actual values)

Next, make sure the certificate file validates against the intermediate CA.

 $ openssl verify -CAfile masspirates.org.ca.2015 masspirates.org.crt.2015 
 masspirates.org.crt.2015: OK

"OK" is the answer you want to see.

Once you've done this, go into our hosting provider's control panel, and edit the webserver configuration.

  • SSLCertificateFile should reference the new masspirates.org.crt.YYYY
  • SSLCertificateChainFile should reference the new masspirates.org.ca.YYYY

Save your changes, wait a few moments for the web server to reload. Visit https://masspirates.org and verify it looks okay. Also verify that the certificate expiration date is what you expect it to be.

Finally, go back to ~/masspirates.org/include/cert (on the web server). Move the old certificates into the "OLD" directory.