How to update commercial SSL certificate on the website

Discussion in 'ISPConfig 3 Priority Support' started by SupuS, Apr 14, 2018.

  1. SupuS

    SupuS Member HowtoForge Supporter


    I would like to update website commercial SSL certificate and I am forced to use new csr. But when I create new SSL certicate in ISPConfig 3 the certificate is self signed until I get certificate from certification authority. What is the proper way to achieve this without SSL service interrupting? Is there a way to generate new csr while old certificate is used until new one is installed?

    Thank you
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The certificate ISPConfig generates is self-signed always. If you already have purchased and installed a certificate from an certification authority, use it until you buy a new one. When you get the new certificate, install it before the old one expires. There should be not interruption in SSL service.
    You get the paid for certificate from certification authority, you do not make it yourself.
  3. SupuS

    SupuS Member HowtoForge Supporter

    thank you for your comment. Please check these steps:

    Create certificate:
    1) generate certificate in ISPConfig
    2) use csr to generate signed certificate in certification authority web interface
    3) wait for generate signed certificate - it can take several days .. depends on type of certificate
    4) put newly generated crt and intermediate certificate to ISPConfig

    Update certificate:
    exactly same procedure as create but problem is point 3 - wait for new certificate .. during this period is used self signed certificate generated by ISPConfig

    Solution available now:
    1) use LE certificate until new certificate is available
    2) save old certificate and new certificate and put old certificate back manually again after CSR is generated by ISPConfig until new certificate is created

    Desired solution - function for update certificate:
    1) create new, inactive private key and csr for certification authority separatelly from currently used certificate
    2) apply new certificate when signed certificate is available
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If step 1) causes problems, do not do it.
    You do not need to generate certificates in ISPConfig if you want to purchase the certificate from some certification authority. You can use command openssl to generate the stuff needed. Read the instructions the certificate authority provides, or if it really does not have this info, using Internet search engines I found this:
    Last edited: Apr 14, 2018
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you have to create a new CSR (which is not typical, normally you would just use the existing CSR again), then I would go the way @Taleman described and create the CSR on the command line to avoid issues in the timespan until the new SSL cert is issued. There is no solution for that in ISPConfig yet.
  6. SupuS

    SupuS Member HowtoForge Supporter

    Thank you both for the info. The reason why I am forced to create new CSR is acquisition of Digicert and Symantec authorities. I have to replace all certificates issued by Symantec, AlpiroSSL, Thawte and GeoTrust with using new CSR. It means dozens certificates for us so I am looking for the easiest solution.

Share This Page