www.bonsaiframework.com
Page tree

Versions Compared

Old Version 8

changes.mady.by.user Duncan Kwok

Saved on

compared with

New Version 9

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With Apache it is possible to renew the SSL Certificate with the original CSR, however, most sites recommend creating a new CSR

The key piece of information is that creating a Most sites can recommend creating a new CSR because creating a new certificate with an identical DN , the new key will not invalidate the previous keycertificate. This allows  

Code Block
titleThere is more than one utility that can create keys.
collapsetrue
Openssl is a more straight forward and popular choice. Openssl will create one key at a time where as utilities such as IBM's ikeyman can create both in one step. The private key is needed to complete the CSR. When it comes time for renewal, you can use your existing private key to generate the CSR and public key OR generate a new one. There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is not necessary to create a new private key depending on which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but many sites like sslshopper.com recommend that a new private key be created as it avoids confusion and is simplest.

Private Key

You can use your existing private key to generate the CSR or create a new one.

Info

There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is not necessary to create a new private key depending on which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but many sites like sslshopper.com recommend that a new private key be created as it avoids confusion and is simplest.

Warning

Duncan the sentence "It is not necessary to create a new private key depending on which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but many sites like sslshopper.com recommend that a new private key be created as it avoids confusion and is simplest." does not make sense to me. We'll talk about it tomorrow.

Condensed instructions are as follows:

Gather all required information from the existing certificate

Run openssl to generate a new server private key

Code Block

openssl genrsa -out www.example.com_server.key 2048

Generate a CSR with the private key

Code Block

openssl req -new -key www.example.com_server.key -out www.example.com_server.csr

Submit the CSR to your root CA to be signed.

Refer to to creating a new CSR  for more details.