If you are moving your secure Web site from one server to another, there are a few specific things you need to be aware of in order for the certificate to work on the new server.

Changing Operating Systems

Digital certificates work differently with different operating systems and Web Server software. Because of this, a certificate generated for a Windows 2003 Server running the IIS Web server does not work on a UNIX server running Apache. Likewise, a UNIX server running Netscape Web Server can not use a certificate designed to run on a UNIX server running Apache. All the Virtual Private Servers run a variant of Apache on a UNIX platform, however, which means that if you are moving from one Virtual Private Server to another, the certificate will probably work.

If your current certificate is not compatible with your new server, you will need to obtain a certificate for the new operating system and Web server. Most Certificate Authorities will issue a transfer certificate at a lesser cost than obtaining a new certificate. When transferring your certificate to a Virtual Private Server, be sure to get a certificate for Apache with SSL, openssl, or ModSSL (these are all the same thing, although different Signing Authorities may use slightly different names).

The Signing Authority will provide you with instructions on how to install a Transfer Certificate.

Moving a Certificate to a new server

If your current certificate is compatible with the server you are moving your secure Web site to, you do not need to get a new certificate. Simply move your certificate to the new server and ensure that it works.

  1. Copy the Certificate to the New Server
    Using FTP or another method, copy the certificate and Private Key files to the new server. Both the certificate and the key are stored in the /usr/local/certs/ directory of the Virtual Private Server. If this directory does not exist, you should create it. The certificate should be in a file named ssl.cert, and the key should be in the ssl.pk file. If you use FTP, be sure to copy the files to the new server as ASCII files.
  2. Make Sure your Private Key has been Decrypted
    It's a good idea to check your Private Key to make sure it has been decrypted. Use more or your favorite text editor to view the file. If your key has been decrypted, you should not see the following lines before the encoded elements of the key.
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,BCC23A5E16582F3D
    If your Private Key does have those lines near the beginning, run the following command to remove the encryption.
    % openssl rsa -in ssl.pk -out ssl.pk
  3. Create a PEM file
    You now need to create a PEM file that contains both the certificate and key. To do this, run the following commands (substituting your domain name for example.com):
    # cd /usr/local/certs
    # cp ssl.pk example.com.pem
    # cat ssl.cert >>  example.com.pem
  4. Edit httpd.conf

    Edit your /www/conf/httpd.conf file to look for your certificate file by adding the following to the main section of your httpd.conf file:

    SSLCertificateFile /usr/local/certs/example.com.pem
  5. Restart Apache
    With the /usr/local/certs/ssl.pk in place and decrypted, and the /usr/local/certs/ssl.cert in place on your Virtual Private Server, run the restart_apache command to restart your Web server so that it will use the new certificate.

If you have trouble getting your certificate to work, check the Digital Certificate Troubleshooting Guide for help. You are also welcome to Contact our Support Staff for help.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771