<-[[.:start]] ====== YaDDNet VPS SSL Renewal ====== ** Renewed SSL certificates for 2025/6 ** ===== 15/03/25 : SSL certificates ===== * Renewed SSL certificates available for download on Fasthosts account * Download "Certificate" and rename -> ''signed.crt'' * Download //both// "Intermediate Certificates" * not sure why there are 2 //intermediate// certificates * rename one as ''ca.pem.1'' * renmame other as ''ca.pem.2'' * Use WinSCP to copy the 3 certificates to the Yaddnet VPS * Log on to yaddnet vps via SSH * copy existing certificates in ''/usr/local/ssl'' from * ''signed.crt'' -> ''signed.crt.old'' * ''ca.pem'' -> ''ca.pem.old'' * copy new certificates from ''home'' directory to ''/usr/local/ssl'' * for clarity this gives new files * ''/usr/local/ssl/signed.crt'' * ''/usr/local/ssl/ca.pem.1'' * ''/usr/local/ssl/ca.pem.2'' * copy ''ca.pem.2'' -> ''ca.pem'' * Restart Apache * ''service apache2 restart'' * browse to [[https://www.yaddnet.org/index.php?]] * site loads correctly * check site security {{:public:radio:2025:screenshot_2025-03-15_072557.png?400|}} * swap ''ca.pem'' files (copy ''ca.pem.1'' -> ''ca.pem'') * Restart Apache * browse to [[https://www.yaddnet.org/index.php?]] * site loads correctly * security also valid ==== Different intermediate CA.pem certificates ==== I used openssl to inspect the two different //intermediate// certificates gm4slv@yaddnet2:~ $ openssl x509 -in ca.pem -noout -text > /home/gm4slv/capemold.txt * for ca.pem.1 Certificate: Data: Version: 3 (0x2) Serial Number: 39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95 Signature Algorithm: sha384WithRSAEncryption Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services Validity Not Before: Mar 12 00:00:00 2019 GMT Not After : Dec 31 23:59:59 2028 GMT Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority * or ca.pem.2 Certificate: Data: Version: 3 (0x2) Serial Number: 7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7 Signature Algorithm: sha384WithRSAEncryption Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority Validity Not Before: Nov 2 00:00:00 2018 GMT Not After : Dec 31 23:59:59 2030 GMT Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA * and for completeness the //old// original ca.pem from prior to the renewal Certificate: Data: Version: 3 (0x2) Serial Number: 0d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 Validity Not Before: Nov 27 12:46:40 2017 GMT Not After : Nov 27 12:46:40 2027 GMT Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2 It appears that the certificate (ca.pem.2) from "Sectigo" has the longest validity, and that this is the more recent/appropriate one, so I've made it the certificate in use ''sudo cp ca.pem.2 ca.pem'' ''sudo service apache2 restart'' --- //John Pumford-Green 15/03/25 06:36 GMT// ===== Further Information ===== {{tag>yaddnet radio}}