This is an extra guide in addition to configuring Ubuntu server to run Apache2, PHP, MySQL. Instead of Let’s Encrypt, we are using a paid DV SSL certificate. CA browser forum has made it mandatory to yearly replace (read the PDF here) the SSL/TLS certificate to any avoid security breach. So, even a webmaster purchases an SSL/TLS certificate for 2-5 years, the annual work is mandatory. This yearly work is a burden to the webmasters of unmanaged servers. This article will provide you a-kind-of-help to make the workflow smooth and error-free.
We are taking it granted that your site configuration files are kept at :
and SSL certificates are kept at :
If you have followed our guides to install and configure WordPress, then your Apache2 site configuration file will have the below lines:
Step one : Click to start the renewal process in browser
This should be the first step every year when you’ll renew the certificate. We will suggest starting the process at least a week before the expiration. You’ll receive one email to confirm/allow the renewal/reissue, and another email will have three certificates in
.crt format – one certificate is for your domain, and another is an intermediate certificate. We will not need the third certificate (root certificate).
You can not order till you reach the next step since you’ll need the
.csr file again. In the case of a commercial setup, changing the private key and CSR is practical. This much security is not required for an ordinary personal website i.e. you can re-use the old private key and old CSR key. Remember that this is not recommended by the security experts but it saves time for low-risk servers. So, you are just copy-pasting the
.csr file to obtain the new certificate.
Step two : SSH and navigate to the location of the SSL certificate files
cd to the location where you have kept your SSL certificates:
Keep the old and new certificates in a meaningful, organized manner in this directory. I usually keep the certificates in this way:
4096 Oct 2 08:05 .
4096 Nov 25 2018 ..
1102 Aug 5 2018 2018.csr
769 May 28 2017 dhparams_4096.pem
1724 Jun 7 2017 inter.crt
1692 Aug 5 2018 intermediate2018.crt
1688 Sep 3 2018 intermediate2020.crt
1903 Sep 5 2020 intermediate2021.crt
1905 Oct 2 08:05 intermediate2022.crt
1733 May 28 2017 intermediate.crt
1724 Jun 7 2017 inter.pem
1704 May 28 2017 private.key
2097 Aug 5 2018 public2018.crt
2253 Sep 3 2018 public2020.crt
2229 Sep 5 2020 public2021.crt
2376 Oct 2 08:04 public2022.crt
2270 May 28 2017 public.crt
1444 Jun 7 2017 root.crt
3168 Jun 7 2017 root-intermediate.crt
3168 Jun 7 2017 root-intermediate.pem
1444 Jun 7 2017 root.pem
1704 May 28 2017 ssl-cert-snakeoil.key
5030 Aug 5 2018 test-intermediate.pem
Step three : Create empty files and paste the content of each certificate
If you are using Microsoft Windows and Ubuntu Bash to SSH to the server, then you can easily copy-paste the content of the browser/computer to the SSH screen.
# paste the content
# paste the content
Step four : Edit the Apache2 configuration file
You have to edit the file names in the site configuration file, in our example, the configuration files are located at
/etc/apache2/sites-available, you’ll need to change only two lines, you do not need to change the private key:
Run a config test :
and restart Apache:
service apache2 restart
and finally reboot the instance:
A reboot will erase any caching by the running operating system. Remember to do the above steps for your
www sub-domain as well (when you are using a naked domain like us).
Step five : Test
Load your website and check the expiry date. We need to check the certificate chain and formally run a full test:
You have to do this every year, so if you have not kept things easy, make it easy to remember now.Tagged With https://thecustomizewindows com/2021/10/how-to-yearly-update-ssl-tls-certificate-in-apache2-server/