prjct.net

Updating SSL certificates to SHA2

A short guide to updating existing Comodo PositiveSSL SSL certificates to SHA2. These certificates are pretty cheap when gotten from SSLs.com.

Reissue the certificate

Open your account page on SSLs.com and navigate to 'My SSLs':

My SSLs page
My SSLs page

Here you can hit the 'Reissue' button. Your old certificate will still work through this process, so no worries there.

My SSLs page
My SSLs page

After proceeding you'll be asked to provide a Certificate Signing Request.

Creating new certificate requests

I'm using openssl over ssh (putty) to create the requests:

openssl req -nodes -newkey rsa:2048 -keyout your.domain.com.key -out your.domain.com.csr
cat your.domain.csr

Or if you want a stronger RSA key:

openssl req -nodes -newkey rsa:4096 -keyout your.domain.com.key -out your.domain.com.csr
cat your.domain.csr

Copy the CSR and paste it in the appropriate form on the SSL provider website.

Creating a chained certificate

A chained certificate is, in practice, nothing more than some files bunded. To create a usable 'your.domain.com_chained.crt' with a Comodo PositiveSSL certificate you can run the following command:

cat your.domain.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your.domain.com_chained.crt

The files COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt and AddTrustExternalCARoot.crt should be included in the .zip you received by e-mail.

Thats all there is too it! Next article will show you how to update some settings on NGINX, Dovecot & Postfix to make the most of your more secure setup.

Test your website

Qualys SSL Labs have a very nice testing suite you can use to check your site:

Qualys SSLtest