4.5 Apache Renewing SSL Certificate

Backup Files

Before attempting renew an SSL certificate, back up all your private and public keys to a secure folder.

Generate a New CSR

With Apache it is possible to renew the SSL Certificate with the original CSR, however, most sites recommend creating a new CSR. 

The key piece of information is that creating a certificate with an identical DN, the new key will not invalidate the previous key. This allows  

Openssl is a more straight forward and popular choice. Openssl will create one key at a time where as utilities such as IBM's ikeyman can create both in one step. The private key is needed to complete the CSR. When it comes time for renewal, you can use your existing private key to generate the CSR and public key OR generate a new one. There is no clear consensus on whether creating a new or using an old private key is considered best practice. It is not necessary to create a new private key depending on which web server you are using, (ie you'd need to create new private keys due to the way Microsoft IIS Web server handles storing private keys) but many sites like sslshopper.com recommend that a new private key be created as it avoids confusion and is simplest.

Condensed instructions are as follows:

1. Gather the following information from the existing certificate
   Country Name (2 letter code) [AU]:CA
   State or Province Name (full name) [Some-State]:Ontario
   Locality Name (eg, city) []:Toronto
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Planet Earth Incorporated
   Organizational Unit Name (eg, section) []:Earth Defence
   Common Name (eg, YOUR name) []:www.earth.com
   Email Address []:admin@earth.com

2. Run openssl to generate a new server private key

   openssl genrsa -out www.example.com_server.key 2048
   

3. Generate a CSR with the private key

   openssl req -new -key www.example.com_server.key -out www.example.com_server.csr
   

4. Submit the CSR to your root CA to be signed