Renewed SSL certificates for 2025/6

• Renewed SSL certificates available for download on Fasthosts account
  • Download “Certificate” and rename → signed.crt
  • Download both “Intermediate Certificates”
    • not sure why there are 2 intermediate certificates
    • rename one as ca.pem.1
    • renmame other as ca.pem.2
• Use WinSCP to copy the 3 certificates to the Yaddnet VPS
• Log on to yaddnet vps via SSH
  • copy existing certificates in /usr/local/ssl from
    • signed.crt → signed.crt.old
    • ca.pem → ca.pem.old
  • copy new certificates from home directory to /usr/local/ssl
  • for clarity this gives new files
    • /usr/local/ssl/signed.crt
    • /usr/local/ssl/ca.pem.1
    • /usr/local/ssl/ca.pem.2
    • copy ca.pem.2 → ca.pem
  • Restart Apache
    • service apache2 restart
  • browse to https://www.yaddnet.org/index.php?
  • site loads correctly
    • check site security

• swap ca.pem files (copy ca.pem.1 → ca.pem)
• Restart Apache
• browse to https://www.yaddnet.org/index.php?
• site loads correctly
• security also valid

I used openssl to inspect the two different intermediate certificates

gm4slv@yaddnet2:~ $ openssl x509 -in ca.pem -noout -text > /home/gm4slv/capemold.txt

• for ca.pem.1

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
        Validity
            Not Before: Mar 12 00:00:00 2019 GMT
            Not After : Dec 31 23:59:59 2028 GMT
        Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

• or ca.pem.2

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
        Validity
            Not Before: Nov  2 00:00:00 2018 GMT
            Not After : Dec 31 23:59:59 2030 GMT
        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

• and for completeness the old original ca.pem from prior to the renewal

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
        Validity
            Not Before: Nov 27 12:46:40 2017 GMT
            Not After : Nov 27 12:46:40 2027 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2

It appears that the certificate (ca.pem.2) from “Sectigo” has the longest validity, and that this is the more recent/appropriate one, so I've made it the certificate in use

sudo cp ca.pem.2 ca.pem

sudo service apache2 restart

— John Pumford-Green 15/03/25 06:36 GMT