Updating SSL certificates to SHA2
A short guide to updating existing Comodo PositiveSSL SSL certificates to SHA2. These certificates are pretty cheap when gotten from SSLs.com.
Reissue the certificate
Open your account page on SSLs.com and navigate to 'My SSLs':
Here you can hit the 'Reissue' button. Your old certificate will still work through this process, so no worries there.
After proceeding you'll be asked to provide a Certificate Signing Request.
Creating new certificate requests
I'm using openssl over ssh (putty) to create the requests:
openssl req -nodes -newkey rsa:2048 -keyout your.domain.com.key -out your.domain.com.csr cat your.domain.csr
Or if you want a stronger RSA key:
openssl req -nodes -newkey rsa:4096 -keyout your.domain.com.key -out your.domain.com.csr cat your.domain.csr
Copy the CSR and paste it in the appropriate form on the SSL provider website.
Creating a chained certificate
A chained certificate is, in practice, nothing more than some files bunded. To create a usable 'your.domain.com_chained.crt' with a Comodo PositiveSSL certificate you can run the following command:
cat your.domain.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your.domain.com_chained.crt
AddTrustExternalCARoot.crt should be included in the .zip you received by e-mail.
Thats all there is too it! Next article will show you how to update some settings on NGINX, Dovecot & Postfix to make the most of your more secure setup.
Test your website
Qualys SSL Labs have a very nice testing suite you can use to check your site: