First time SSL - Help Needed - Knowledgebase

Portal Home > Knowledgebase > Articles Database > First time SSL - Help Needed

First time SSL - Help Needed

Posted by dan0788, 02-11-2015, 10:04 PM
Hey Guys, Im finishing up a new e-commerce website for a client. They recently renewed their ssl for 3 years with the old designer who is hosting their current site. All I will be doing is switching the DNS to point at the new site on my server (reseller WHM account) once complete. If possible - how do I go about using the SSL that they have paid for in full already. What steps, if any, do I need to take to transfer anything over for the new site. NOTE- I do not have access to the current hosting account...there was a falling out with the original web designer. I apologize in advance for any ignorance - this is my first SSL and know very little about the process of putting them in place. MODS - I originally posted this in the tutorial section but need help asap. Please delete the old thread if there is an issue. thanks
Posted by donski, 02-11-2015, 11:51 PM
You need to go to the issuing certificate authority and reissue the certificate. go onto the new server and create a CSR (signing request) for the keypair and go to the CA to reissue the certificate. you'll need access to the customer email domain to send/receive validation correspondence.
Posted by mandrei99, 02-12-2015, 08:23 AM
If you cannot get your hands on the old key pair (private + public, signed), you need to start from scratch: Generate a new key pair, new CSR and provided it to the CA that your client has contract with (or you might need to ask the customer to do this as it's their contract). Make sure the old certificate is revoked. Few things to be extra careful about: use at least a 2048bytes key. Make sure you use the correct CN or if you apply for a wildcard or a SubjAltName certificate with multiple CNs, avoid typos . Wildcard *.domain.com will NOT be valid for store.us.domain.com. Document your self before applying. A good help would be going to the old hosting website and look at the information of the current certificate and use that one. Good luck.
Posted by dan0788, 02-12-2015, 03:51 PM
Thank you for the replies. Unfortunately I am pretty ignorant when it comes to anything you guys are talking about. I dont really know the first place to start. The certificate was purchased and installed by the original designer - which is no longer in the picture. Contacting him or accessing his hosting account is pretty much out of the question. Attached is what comes up when I run a reverse ssl lookup. Is my best bet to just have a new ssl issued? If so, do I need to do anything with the existing one? How would I go about doing either of the above. Thanks a ton Attached Thumbnails
Posted by s_husky, 02-12-2015, 03:54 PM
I'd start over. Don't waste your time with SHA1 certificates. Generate a new CSR, new private key and get a certificate from somebody like namecheap.com, they start at $10/yr openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key Will generate a new key and CSR for you. Enter the fields it asks for, the most important one is the CN field (Common Name) should be something like www.website.com and for a single domain certificate that will be valid for www.website.com and website.com Last edited by s_husky; 02-12-2015 at 03:57 PM.
Posted by dan0788, 02-12-2015, 04:13 PM
Thanks for the response. Would I do all 3 of those through namecheap? When in WHM or the cpanel of the site, I have no SSL manager etc. The only option in WHM is "Generate an SSL certificate and signing request" Lost me here, sorry.
Posted by s_husky, 02-12-2015, 04:16 PM
It's just the one certificate you need to generate, the rest are the Certificate Authority Chain and Root Certificate, they are provided to you once the certificate is signed and are used to prove that the certificate is trusted. And you could just use the "Generate an SSL certificate" function in WHM I believe. If you have SSH access to the server then the openssl method works too. The command I gave can be pasted into the command line to give you a certificate signing request. If you're not familiar with it then just use the WHM function
Posted by dan0788, 02-12-2015, 04:18 PM
Ok. The domain is currently pointing at the old site. Do I need to switch the DNS before generating anything new?
Posted by s_husky, 02-12-2015, 04:20 PM
Nope, you could generate the new certificate before hand and get it installed before switching. One thing to note you will need access to the email address on the domain's WHOIS (the registrant usually) to verify that you actually control the domain.
Posted by dan0788, 02-12-2015, 05:06 PM
Ok sounds good. So if I follow the steps below, I should be in good shape? 1. Generate CSR in WHM https://www.namecheap.com/support/kn...436/0/whm-1146 2. Purchase SSL from namecheap https://www.namecheap.com/security/s...remiumssl.aspx 3. Active SSL in namecheap https://www.namecheap.com/support/kn...sl-certificate 4. Install SSL via WHM or CPanel https://www.namecheap.com/support/kn...439/0/whm-1146 https://www.namecheap.com/support/kn.../9418/0/cpanel NOTE - For step 4, I have neither of those options in WHM or CPanel. I am unable to activate the SSL/TSL Manager in my features list. Do I not have the ability to change this with a hostgator reseller account?
Posted by s_husky, 02-12-2015, 05:08 PM
You'd have to approach your provider. Do you have any dedicated IPs? I've not touched WHM in a while so not sure if it finally supports SNI or still needs a dedicated IP for SSL.
Posted by dan0788, 02-12-2015, 05:22 PM
I was under the impression that each of my accounts had a dedicated IP but was mistaken. Just came across this info Will switching to the dedicated IP have any effect on the site I just finished?
Posted by s_husky, 02-12-2015, 05:25 PM
I couldn't comment. I'd open a ticket with your provider at this point and ask them about their SSL support before you buy a certificate.
Posted by dan0788, 02-12-2015, 05:26 PM
Thanks for all your help. Im slowly starting to wrap my head around things.
Posted by RobInRockCity, 02-12-2015, 07:58 PM
I'm maybe a week ahead of you! Go to NameCheap.com, select SSL Certificates, scroll down to the bottom and look for a "Chat with Us" link. Choose that, and ask away. Great people working their chat line. Ask any question you have. Go here I got a domain-verified SSL for $9, and you can get the business-verified ones for a good price to - which I'd recommend for e-commerce. Hope that helps?! Rob
Posted by MarkXS, 02-15-2015, 04:37 PM
Strongly second the recommendation to use Namecheap for SSL certs. Good costs, very straightforward ordering process. Good help info on how to do it. SSLS.com is also Namecheap under another marketing brand of theirs and costs sometimes cheaper. But big question: Who bought the client's current cert? Them, or the former developer? If they bought it it should be their property. If you or they can get the original private key used to create the CSR for the existing certificate, and the existing certificate itself, you should be able to install them on your new hosting of them. The certificate and key should be accessible from the cPanel (or any other panel) of their current hosting. Unless this move is a total stealth operation with the old developer/hosting manager left entirely in the dark until the authoritative DNS no longer points to their server, your client should demand to get the key and certificate files. They paid for them. Note to businesses owners: This is why you should consider not using your developer to manage your hosting. I say this as a site developer who sometimes does manage clients' hosting due to non-technical clients. I'd never hold stuff like that hostage but I've heard way too many horror stories of just that. Usually the whole site or backups, but even just the SSL cert held hostage is unethical. Unless, of course, the client was never charged for the cert and got SSL (I hope really TLS) hosting as a courtesy or part of that hosting plan. Then, yes, you need to buy a new cert. More correctly, they do. Because they don't own one. But most likely they do. Depending on the type and the prior host manager's markup, they may have paid serious money for it and should have the right to keep using it for the rest of its validity.
Posted by s_husky, 02-15-2015, 04:43 PM
Only reason I didn't recommend getting the original cert is because it's SHA1 signed. Might as well start fresh imo.
Posted by GunjanTripathi, 02-19-2015, 03:21 AM
Get the old data of certificate from the original email Find the email in your mail inbox sent to you from your CA when you ordered your certificateCopy out the certificate information, including -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----Copy that certificate details to notepad and save the file as ( .crt) fileFind the second email when you originally generated the CSR for your orderCopy out the RSA Key information, including -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----Copy that key information to notepad and save the file as( .key) file. Install SSL in WHM Login into WHM and Click on the "Install an SSL Certificate and Setup the Domain link" in the SSL/TLS menu.Paste the certificate information from the ( .crt file) in the top boxEnter details likeThe domain name on which the certificate issued,The user name for the user account,Dedicated IP address allocated to the certificate in the Domain, User, and IP Address fields.Paste the information from the .key file in the second boxClick on the DO IT button to install the certificate.

Add to Favourites Print this Article