How to Yearly Update SSL/TLS Certificate in Apache2 Server

This is an extra guide in addition to configuring Ubuntu server to run Apache2, PHP, MySQL. Instead of Let’s Encrypt, we are using a paid DV SSL certificate. CA browser forum has made it mandatory to yearly replace (read the PDF here) the SSL/TLS certificate to any avoid security breach. So, even a webmaster purchases an SSL/TLS certificate for 2-5 years, the annual work is mandatory. This yearly work is a burden to the webmasters of unmanaged servers. This article will provide you a-kind-of-help to make the workflow smooth and error-free.

We are taking it granted that your site configuration files are kept at :

and SSL certificates are kept at :

If you have followed our guides to install and configure WordPress, then your Apache2 site configuration file will have the below lines:

 

Step one : Click to start the renewal process in browser

 

This should be the first step every year when you’ll renew the certificate. We will suggest starting the process at least a week before the expiration. You’ll receive one email to confirm/allow the renewal/reissue, and another email will have three certificates in .crt format – one certificate is for your domain, and another is an intermediate certificate. We will not need the third certificate (root certificate).

You can not order till you reach the next step since you’ll need the .csr file again. In the case of a commercial setup, changing the private key and CSR is practical. This much security is not required for an ordinary personal website i.e. you can re-use the old private key and old CSR key. Remember that this is not recommended by the security experts but it saves time for low-risk servers. So, you are just copy-pasting the .csr file to obtain the new certificate.

 

Step two : SSH and navigate to the location of the SSL certificate files

 

cd to the location where you have kept your SSL certificates:

Keep the old and new certificates in a meaningful, organized manner in this directory. I usually keep the certificates in this way:

 

Step three : Create empty files and paste the content of each certificate

 

If you are using Microsoft Windows and Ubuntu Bash to SSH to the server, then you can easily copy-paste the content of the browser/computer to the SSH screen.

 

Step four : Edit the Apache2 configuration file

 

You have to edit the file names in the site configuration file, in our example, the configuration files are located at /etc/apache2/sites-available, you’ll need to change only two lines, you do not need to change the private key:

Run a config test :

and restart Apache:

and finally reboot the instance:

A reboot will erase any caching by the running operating system. Remember to do the above steps for your www sub-domain as well (when you are using a naked domain like us).

 

Step five : Test

 

Load your website and check the expiry date. We need to check the certificate chain and formally run a full test:

You have to do this every year, so if you have not kept things easy, make it easy to remember now.