Neil Oosten's Public Brain

Things my brain is thinking about.

January 3, 2016 · how to web security

How to Renew an SSL Certificate

Every year, I have two website SSL certificates that come up for renewal.

And every year, I forget the exact steps I need to take in order to renew them.

Those Days Are Over!

Since the whole process can be kind of confusing, last year I got smart and wrote the instructions down. But when it came time to renew again, I couldn’t find them!

So I wrote them down again this year and got even smarter: I’m going to share them here on my website. Maybe they’ll help you… but they’ll definitely help me!

Before we jump in, you should know the instructions below are based on the following conditions:

  • I purchase and renew the certificates through Namecheap.
  • Each certificate is for a single domain only i.e. no wildcards.
  • The web server software using the certificates is nginx.

That being said, let’s get started!

Step by Step

  1. On Namecheap, choose to renew the SSL certificate.
  2. Still on Namecheap, activate the certificate. In order to activate, you must generate a CSR. To do so, run openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr, replacing “server” with the full domain name. When prompted for info, use the following:
  • Country Name: “CA” (for Canada)
  • State or Province Name: “Ontario”
  • Locality Name: “Toronto”
  • Organization Name: your name or your company name
  • Common Name: the complete domain name the certificate will secure (FQDN)
  • Email: your personal or company email address
  • all others fields are blank
  1. Copy the contents of the new .csr file and paste them in the CSR field on the Namecheap website.
  2. For domain control validation, I chose email.
  3. For contact info, I used my name, my phone number, and my personal or company email address. I left the optional stuff blank.
  4. Confirm and wait for the email. When it arrives, follow the link and approve the certificate.
  5. Another email will come containing the certificate and bundle files. Copy these files to the server.
  6. Copy the web server certificate immediately followed by the intermediate certificate to a file on the server called server.ssl-bundle.crt, i.e. cp server.crt server.ssl-bundle.crt then cat server.ca-bundle >> server.ssl-bundle.crt. See Comodo’s Nginx certificate installation instructions for details.
  7. Make each of these files read-only by the owner: chmod 400 server.*.
  8. Copy the .ssl-bundle.crt and .key files to wherever nginx is configured to look for them then reload the nginx config.
  9. Checking the SSL info on the website should show the new expiry date.