Home » Wiki » How to Move SSL Certificate from Apache to Another Apache Server

How to Move SSL Certificate from Apache to Another Apache Server

by | SSL Certificate

Move SSL Certificate from Apache to Another Apache Server

Copy/Move SSL Certificate from Apache Server to Another Apache Server

Moving an SSL certificate between Apache servers requires a step-by-step process to maintain secure website connections. SSL certificate transfers between Apache servers protect sensitive data and ensure uninterrupted HTTPS functionality. The transfer involves copying key files from the source Apache server to the destination server while maintaining proper file permissions and configurations.

This process needs the SSL certificate file, private key file, and any intermediate certificates. System administrators can complete this task by accessing both servers, locating the certificate files in the Apache configuration directory, and implementing them correctly on the new server.

Following the correct steps prevents security issues and minimizes website downtime during the transfer.

Prerequisites for Moving an SSL Certificate

Before moving your SSL certificate, make sure you have the following:

  • You need access to and permissions to both the original and new Apache servers. You’ll also need to be able to modify configurations on both servers.
  • The domain name is associated with the SSL certificate. This is used to generate the CSR and import the certificate.
  • The SSL certificate file (with a .crt extension) contains the public certificate provided by the certificate authority.
  • The private key file (with a .key extension) contains the secret private key generated when you created the CSR.
  • Intermediate certificate files are available if provided by your certificate authority. Some CAs provide intermediate certs that must be bundled with the SSL certificate.
  • Downtime to move the certificate and restart the new server once configured. Plan for at least 30 minutes of downtime.

A Basic Steps of the SSL Certificate Migration Process from One Apache Server to Another 

Here is an overview of the main steps involved in migrating an SSL certificate from one Apache Server to another:

  • Locate the Certificate and Private Key
  • Export the Certificate and Private Key
  • Update the New Apache Server Configuration
  • Transfer and Import the Certificate and Key
  • Restart Apache to Use the New Certificate

Step 1: Locate the Certificate and Private Key

The first step is locating the SSL certificate file, private key, and intermediate certificates on your original Apache server.

These files are usually located in the Apache configuration folders, but depending on your setup, they may be saved elsewhere.

Here are some typical locations to find the SSL certificate and private key files:

  • /etc/pki/tls/certs: Contains .crt certificate files
  • /etc/pki/tls/private: Contains .key private keys
  • /etc/ssl/certs: Popular certificate storage folder
  • /etc/ssl/private: Popular private key storage folder

Use ls and find commands to search these folders and identify the correct certificate and private key files.

For example:

# Search for .crt files
ls /etc/pki/tls/certs

# Search for .key files  
find /etc/ssl -name *.key

The certificate file will have a .crt extension, while the private key has a .key extension.

If you used intermediate certificates, they may be bundled into one .crt file or have individual .pem or .crt extensions.

Once you’ve located all the necessary files, move on to exporting them from the original server.

Step 2: Export the Certificate and Private Key

Now that you’ve found the certificate and private key files export them from the original Apache server.

You must copy the files to a temporary location or transfer them to your local computer to export. This preserves the sensitive files, which you can then import to the new server.

Here are a couple of ways to export:

  • Use SCP to copy files to your local machine: With SCP, you can securely copy the files from the server to your local computer:
#Certificate
scp root@oldserver:/etc/ssl/certs/certificate.crt ./

#Private Key 
scp root@oldserver:/etc/ssl/private/privatekey.key ./
  • Copy files to a temporary folder: You can create a new folder and copy the certificate there:
cp /etc/ssl/certs/certificate.crt /tmp/ssl-backup
cp /etc/ssl/private/privatekey.key /tmp/ssl-backup

This exports the sensitive files and gets them ready for transfer. Be sure to copy the intermediate certificates as well, if needed.

Step 3: Update the New Apache Server Configuration

You’ll need to update the new Apache server configuration to use the SSL certificate once imported.

Within the Apache config, there is a Virtual Host section for each site using SSL certificates.

Edit the virtual host configuration for the site to which you are moving the certificate. Look for the SSLCertificateFile, SSLCertificateKeyFile, and any SSLCertificateChainFile directives.

For example, in Ubuntu, the file to edit is:

/etc/apache2/sites-available/default-ssl.conf

Update these directives to reference the certificate and key locations once imported:

SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt

Save the configuration changes but still need to restart Apache. Next, you’ll import the certificate and key files.

Step 4: Transfer and Import the Certificate and Key

It’s time to transfer the SSL certificate and private key to the new Apache server.

Use SCP again to copy the exported files over. For example:

#Certificate
scp certificate.crt root@newserver:/tmp/

#Private key
scp privatekey.key root@newserver:/tmp/

Alternatively, copy them from the temporary backup folder if you kept them on the original server.

After the files are copied over, move them into the correct Apache folders, as referenced in your virtual host configuration.

For example:

#Certificate
mv /tmp/certificate.crt /etc/ssl/certs/

#Private key
mv /tmp/privatekey.key /etc/ssl/private/ 

The certificate and key should now be in the correct location on the new server.

Double-check that the permissions on the files are correct and only readable by the root user for security.

Step 5: Restart Apache to Use the New Certificate

The last step is to restart Apache on the new server to apply the configuration changes.

This will enable the new server to find the SSL certificate and private key to handle HTTPS requests.

Restart Apache:

systemctl restart apache2

The new Apache server should now use the SSL certificate you moved over from the original server.

To test it, browse the website via HTTPS and verify the certificate is active and valid.

You may also need to clear your browser cache before testing the site.

That covers the full process of migrating an SSL certificate to a new Apache server! With these key steps, you can smoothly transition the certificate and minimize any downtime during the move.

Final Thoughts

Migrating an SSL certificate to a new server is straightforward when you follow the proper export, transfer, import, and configuration steps.

Before starting, be sure to locate the current certificate, private key, and intermediates and back them up. Then, update the new server config to point to the certificate location before restarting Apache.

With some planning and care during the move, you can switch SSL certificates with minimal downtime. After some quick configuration adjustments, your website will continue handling HTTPS traffic.

IT administrators commonly move certificates between servers. Following this guide will give you confidence when it’s time to migrate your SSL certificates to new infrastructure.

Frequently Asked Questions About Moving an SSL Certificate to a New Apache Server

Here are some common questions that come up when moving an SSL certificate to a new Apache server:

How do I transfer my SSL certificate files to a new Apache server?

Copy the certificate file (.crt), private key (.key), and chain file (.ca-bundle) from the old server to the new server’s SSL directory. Place these files in the /etc/ssl/certs/ or /etc/apache2/ssl/ directory.

What Apache configuration files need updating after moving SSL certificates?

Update the VirtualHost configuration file in /etc/apache2/sites-available/. Change the paths to match the new SSL certificate, key, and chain file locations.

Do I need to restart Apache after moving SSL certificates?

Yes. Run ‘sudo systemctl restart apache2’ or ‘service apache2 restart’ after updating certificate locations and configurations.

Will moving SSL certificates cause website downtime?

The website will experience 1-2 minutes of downtime during the Apache restart process. Schedule the move during low-traffic periods.

Can I use the same SSL certificate on both old and new servers simultaneously?

Yes. SSL certificates can work on multiple servers if you copy the files correctly and maintain proper configurations on each server.

How do I verify the SSL certificate is working on the new server?

Visit your website using HTTPS and check the certificate details in your browser. Use SSL checker tools to verify proper installation and configuration.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.