Renewing a StartSSL Certificate
My SSL certificate signer is StartSSL. Their free certificates are valid for one year. This is how I renew my certificates.
- Log in using my personal certificate. A copy is in my scans folder.
- Use the Validations Wizard to validate the domain name (it just sends an email with a code).
- Generate a certificate signing request using the original certificate and private key, using the command sudo openssl x509 -x509toreq -in [certificate.crt] -out csr.csr -signkey [private.key]
- Copy the relevant part of the CSR out of the file csr.csr and submit it to the appropriate part of the Certificate Wizard.
- Install the certificate by placing it in [certificate.crt] (Move the old one out of the way just in case).
- Append the intermediate and root certificates, available here, to the certificate generated
- Restart web server
- Test the SSL configuration (Qualys has a good one)
- Test sending mail
- Generate the combined certificate: cat [certificate.key] [certificate.crt] > [certificate.pem]. MAKE SURE THE PERMISSIONS ON THE COMBINED FILE ARE CORRECT!
- Test IMAP