The logistics of moving an SSL certificate to a new server

I'll preface this by saying most of this stuff is new to me. I am generally just a web designer, but I've now been tasked with setting up and maintaining a web server, so giving myself a crash course on things like SSL and configuring Apache and other web server stuff has been an interesting ride.

So here is my situation:

I need to move a medium sized bank's website from Network Solutions to my new VPS server here on Linode. Which includes moving/reissuing an SSL certificate and trying to make the downtime for the website as short as possible.

Getting the web server stuff up and running was quite easy thanks to the Linode documentation. So I have a complete copy of the bank website up and running on Linode right now (accessible by IP and not domain right now), the part that is giving me stress is figuring out the exact steps to get the SSL certificate installed and switching servers with as little downtime as possible.

So as far as I can tell the order I need to do this in is:
* 1. Change domain to point to Linode name servers (which will leave the fresh Linode copy of the site SSL-less for a period, which is less than ideal, but I see no way around this)

2\. Initiate SSL reissue and wait for it to go through (which according to NS can take from 1 to 5 days to complete)

3\. Upload SSL files to server and properly configure the virtualhost config file for the site to point to the right certificate files.</list> 

Now, if anyone has any tips for making steps 1 and 2 go as smooth as possible, I would love to hear them. Should I pull the site down, replacing it with a "Down for Maintenance" message for the couple days this might take? But having the site completely inaccessible for the time it might take for this to all go down might not be a good idea.

The next thing that is tripping me up is the files that Network Solutions provides seems to differ from what other places do. they provide 4 files with the following names:

* AddTrustExternalCARoot.crt




Now according to the Linode tutorial, I need to point to 3 files in my Apache virtual host file:

* SSLCertificateFile /etc/apache2/ssl/

SSLCertificateKeyFile /etc/apache2/ssl/<url url=""></url>

SSLCACertificateFile /etc/apache2/ssl/verisign.cer</list> 

The SSLCertificateFile is easy enough, that will be the STAR.DOMAINNAME.COM.crt file NS provides.

The SSLCertificateKeyFile is the key file I generate along with the CSR file, so that seems simple too.

The SSLCACertificateFile file I am assuming is the NetworkSolutions_CA.crt file, but they have different file extensions which is throwing me off. Are CER and CRT files interchangeable?

And what is with the other 2 files they are providing (AddTrustExternalCARoot.crt and UTNAddTrustServer_CA.crt)? Do I need those for anything?

Any help or advice would be much appreciated!

2 Replies

I think the biggest problem you have here isn't a technical one, it's one of liability. What happens if this goes sour? What happens if this isn't set up correctly, securely? There's a lot at stake running a bank's secure web presence, even if the online account access feature itself is outsourced. Someone needs to be held accountable if this isn't set up right and if you don't feel comfortable doing that, I'd make that clear to your boss before proceeding. Let him know in writing that you're a designer, not a sysadmin, and though you'll try your best, no promises.

Thanks for the feedback Brian.

I was able to get everything all worked out over the last two days and the move went fairly smoothly.

Once I figured out I had to concatenate 3 of those files together (cat AddTrustExternalCARoot.crt NetworkSolutionsCA.crt UTNAddTrustServerCA.crt >> ca_bundle.crt), everything else fell into place.

Wanted to leave something about the file concatenation in case anyone else has this issue!


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct