Renewing a StartSSL Certificate

Share on:

My SSL certificate signer is StartSSL. Their free certificates are valid for one year. This is how I renew my certificates.

  1. Log in using my personal certificate. A copy is in my scans folder.
  2. Use the Validations Wizard to validate the domain name (it just sends an email with a code).
  3. Generate a certificate signing request using the original certificate and private key, using the command sudo openssl x509 -x509toreq -in [certificate.crt] -out csr.csr -signkey [private.key]
  4. Copy the relevant part of the CSR out of the file csr.csr and submit it to the appropriate part of the Certificate Wizard.
  5. Install the certificate by placing it in [certificate.crt] (Move the old one out of the way just in case).
  6. Append the intermediate and root certificates, available here, to the certificate generated
  7. Restart web server
  8. Test the SSL configuration (Qualys has a good one)
  9. Test sending mail
  10. Generate the combined certificate: cat [certificate.key] [certificate.crt] > [certificate.pem]. MAKE SURE THE PERMISSIONS ON THE COMBINED FILE ARE CORRECT!
  11. Test IMAP