HOW-TO: Transferring an SSL Cert between two CP/WHM Servers

[lyew]

The problem with some SSL cert authorities is that they won't regenerate a new cert for you to use the moment you switch servers. This is the problem I faced with Geotrust. All the company is willing to say is that you should be able to export the CSR, key file, and the cert quite easily.

So after a bit of mucking around, this is what I did when I found that WHM didn't transfer the cert over when I copied the domain account over.

You'll need to have SSH root access for this.

Before you begin, make sure that you've already used the WHM copy account function to transfer the domain account, dns settings, etc, over.

1. SSH into your old server. You should be able to find these two directories:

/usr/share/ssl/private
/usr/share/ssl/certs

The first directory contains the key file while the second contains the certificate signing request (CSR) and the certificate itself.

2. Now identify the relevant files you'll need to copy over to the new server.

If the SSL domain is "secure.domain.com" these files should be copied over to the exact same directories on your new servers:

/usr/share/ssl/private/secure.domain.com.key
/usr/share/ssl/certs/secure.domain.com.cabundle
/usr/share/ssl/certs/secure.domain.com.crt
/usr/share/ssl/certs/secure.domain.com.csr

3. Now use FTP,WGET or your preferred file transfer method to move these files over to the new server

4. Log into WHM as root, go to SSL/TLS -> Install an SSL Certificate and Set Up a New Domain

5. In the Domain field, enter the relevant domain (eg. secure.domain.com), click on the fetch button ABOVE (NOT below). Your SSL cert should be displayed in the box and the username, IP fields should appear automatically.

6. In the panel immediately below click on the FETCH button to fetch the .key file. This should appear as well.

7. When this is done, click "DO IT" at the top of the screen and WHM wiil install the cert and configure httpd to use the cert.

That's all there is to it! You can modify the httpd.conf file to get the secure domain to point to a different subdirectory if you wish.

If you know of another method please feel free to add to this thread. Somehow methinks there might be an easier way

[WebVandals]

I tried the method above (probably did something wrong) and it didn't work for me.

But here's what DID work, basically just copy and paste the certs from your old WHM into your new WHM like this:

1) Open your old WHM and your new WHM in 2 separate browser windows (or tabs).

2) Find the SSL/TLS section in both WHMs.

3) Click "ssl manager" in the old WHM, then click the disk icon for whatever.domain.com.crt -- now you can hilight and copy that cert.

4) Click "Install an SSL Certificate and Setup the Domain" in your new WHM and paste the cert in the top text field.

5) Repeat steps 3 and 4 except this time copy and paste the whatever.domain.com.key instead of .crt

6) Enter your domain name (including subdomain), username, and IP then click "DO IT".

7) Repeat 3 thru 6 for each domain.

NOTE: don't worry about the .csr or .test or other stuff. I think you just need the .crt and .key.

[spaceman]

About 2 hours ago I perfomed WebVandals suggestion after first successfully moving a hosting account from one server to another. The re-install of the SSL cert seemed to go very smoothly.

BUT, the secure part of the site remains non-operational at time of writing.

I'm hoping it's just a propagation issue, but it's kind of strange because, from a ping perspective, it looks like the site move has already fully and successfully propagated:

ping www.thewoolshack.com : 216.7.176.125
ping secure.thewoolshack.com : 216.7.176.125

To see the problem:

http://www.thewoolshack.com/books.ht...n=detail&ID=18

... and click on any of the 'Add to Basket' pages. This should have the effect of shifting the customer onto the secure server and showing the shopping cart. I currently get a 404 'page cannot be displayed' error. Prior to the move, this was working perfectly (and had been for some time).

Again, I'm hoping this is simply a propagation issue, but if anyone's got some words of wisdom on the subject in the meantime, it might help to calm my nerves... :-)

SSL certs are in no way hard-coded against an IP address, are they (scratching for ideas here!)??

[lyew]

No, I don't think SSL certs have IP numbers hard coded into them, unless you request for that specifically.

I tried your website out, but didn't get a 404 error. In fact, I got a server or dns error, which tells me that your httpd.conf isn't configured properly.

Go to /etc/httpd/conf/httpd.conf

open it in an editor like pico. Then, try to find a section that starts like this

<VirtualHost ipnumber:443>
...
ServerName secure.thewoolshack.com

If you can't find it, it means WHM hasn't properly set up the SSL cert for that domain.

You might want to repeat the installation process. ALso, don't forget to ensure that the DocumentRoot settings in the above section is correct.

[spaceman]

Thanks for your help, lyew. Having just copied another SSL cert, I'm 99% sure I spotted where I went wrong:

Using WebVandals technique, when I cut and paste the .crt file, the IP address field was automatically populated with the OLD IP address of the site - but I didn't spot this at the time. In copying the whole site to the new server, a new IP address had been issued, and so before clicking "DO IT" I should have manually edited the IP address to be the correct new IP address.

You live and learn! :-)

[Tina]

Hi I just wanted to report that I followed the instructions posted by WebVandals, paying close attn to the IP (thanks to spaceman), and the ssl transfer was flawless. Thanks for posting!

Tina

[knipper]

OK Folks....

I transfered two certs with WebVandals method, and tested them out before DNS propegated via the IP address. I got the "the cert doesn't match the name" error. So all looked good. You could check the cert and see the domain name was correct.

It has now been about 4 days and DNS has propegated. However on 1 site, I get a 404 error when I try to go to ANY https page on the site. Wether I use the domain name or IP address. And this worked OK after the original transfer, per my test above.

I checked all the files were in the correct place, and checked out httpd.cong as well. Everything looks fine.

Anybody got any tips?

[d-woo]

On SSLs there is a difference between "https://yoursite.com" and "https://www.yoursite.com"

That might be the difference. Just a thought!

[DavidR]

FWIW, I just transferred a cert using WebVandals' method as well with no problem at all .

David

[juba]

Is the WHM copying the SSL now?

I see this when copying account:

Copying SSL Certificates, CSRS, and Keys

Thanks...

[raxafarian]

Is the WHM copying the SSL now?

I see this when copying account:

Copying SSL Certificates, CSRS, and Keys

Thanks...

yes. I did step 4 in the first post and it 'autopopulates' the other fields... then hit 'do it' and voila, done.

[juba]

Thanks I did it and it worked