Table of Contents
YaDDNet : VPS SSL Renewal
Renewed SSL certificates for 2025/6
Read the final part about combining the 2 intermediate certificates!
15/03/25 : SSL certificates
- Renewed SSL certificates available for download on Fasthosts account
- Download “Certificate” and rename →
signed.crt - Download both “Intermediate Certificates”
- not sure why there are 2 intermediate certificates
- rename one as
ca.pem.1 - renmame other as
ca.pem.2
- Use WinSCP to copy the 3 certificates to the Yaddnet VPS
- Log on to yaddnet vps via SSH
- copy existing certificates in
/usr/local/sslfromsigned.crt→signed.crt.oldca.pem→ca.pem.old
- copy new certificates from
homedirectory to/usr/local/ssl - for clarity this gives new files
/usr/local/ssl/signed.crt/usr/local/ssl/ca.pem.1/usr/local/ssl/ca.pem.2- copy
ca.pem.2→ca.pem
- Restart Apache
service apache2 restart
- browse to https://www.yaddnet.org/index.php?
- site loads correctly
- check site security
- swap
ca.pemfiles (copyca.pem.1→ca.pem) - Restart Apache
- browse to https://www.yaddnet.org/index.php?
- site loads correctly
- security also valid
Different intermediate CA.pem certificates
I used openssl to inspect the two different intermediate certificates
gm4slv@yaddnet2:~ $ openssl x509 -in ca.pem -noout -text > /home/gm4slv/capemold.txt
- for ca.pem.1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
Validity
Not Before: Mar 12 00:00:00 2019 GMT
Not After : Dec 31 23:59:59 2028 GMT
Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
- or ca.pem.2
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:5b:51:26:b4:76:ba:11:db:74:16:0b:bc:53:0d:a7
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Validity
Not Before: Nov 2 00:00:00 2018 GMT
Not After : Dec 31 23:59:59 2030 GMT
Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
- and for completeness the old original ca.pem from prior to the renewal
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:e0:ff:b5:ee:62:cb:61:10:9f:60:8c:9c:ed:5e:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Validity
Not Before: Nov 27 12:46:40 2017 GMT
Not After : Nov 27 12:46:40 2027 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
It appears that the certificate (ca.pem.2) from “Sectigo” has the longest validity, and that this is the more recent/appropriate one, so I've made it the certificate in use
sudo cp ca.pem.2 ca.pem
sudo service apache2 restart
UPDATE ON TWO INTERMEDIATE CERTIFICATES 5/7/25
I've discovered that the 2 Intermediate Certificates are necessary to complete the chain of authority.
What should be done is to join them together into one ca.pem file (and in the correct order…. )
Don't rename the 2 files as ca.pem.1 and ca.pem.2 per the above
Transfer them both with their original names and then cat them together
[root@yaddnet2:/home/g4slv/ssl]# cat 397A66CC2756362E0DAA87CA6EABE3B1.cer 7D5B5126B476BA11DB74160BBC530DA7.cer > ca.pem [root@yaddnet2:/home/g4slv/ssl]# cp ca.pem /usr/local/ssl [root@yaddnet2:/home/g4slv/ssl]# systemctl restart apache2
Check correct SSL operation at https://www.ssllabs.com/ssltest/analyze.html
— John Pumford-Green 15/03/25 06:36 GMT