Posted on by Zion Ng

Things to watch out for when renewing SSL certificates

Do not renew for more than a year. Starting 01 September 2020, SSL certificates will be deemed invalid by Apple and Google if their validity period is greater than 398 days – see this article and this article. If your domain/server needs to be accessed from Safari or Apple devices, you need to keep this in mind.

Do not use AWS Certificate Manager (ACM) if SSL certificate needs to be exported for non-AWS services. The SSL certificates issued by the ACM Public Certificate Authority (CA), together with their private keys, cannot be exported – see this article. This becomes an issue if you need to import the SSL certificate and private key into a non-AWS service, e.g. you configured https://alpha.example.com as a CDN distribution on AWS CloudFront and https://beta.example.com as a CDN distribution on Akamai. How about the ACM Private CA, where certs and keys can be exported? Well, those are typically used within organisations and require administrators to configure all the computers in the organisation to trust them, similar to self-signed certificates. If your domain needs to be publicly accessible from the Internet, note that browsers only trust certificates from public CAs by default, unless you can configure all the computers in the world to trust your certificate.

Use only 2048 bits for the private key if using AWS. AWS CloudFront and AWS Elastic Load Balancer (ELB) only support up to 2048 bits for the key – see this article. Also, AWS ACM will show an error if you used 2048 bits for the previous imported SSL certificate and try to re-import a renewed SSL certificate that uses 4096 bits for the key. Tried and tested 😛

Remember to save both the private key and CSR file when generating the Certificate Signing Request (CSR). First-timers may just upload the CSR file and forget to back these up after receiving the SSL certificates. These will be needed to verify the SSL certificate later and the private key is needed when importing the SSL certificate onto AWS and servers.

The SSL certificate for the domain and its intermediate certificates must be bundled together as a certificate chain when installing/renewing it. Using Sectigo (formerly Comodo) as an example, when you purchase an SSL certificate from them, you will receive 4 files: STAR_example_com.crt,
SectigoRSADomainValidationSecureServerCA.crt, USERTrustRSAAAACA.crt and AAACertificateServices.crt. You cannot just provide STAR_example_com.crt for use with AWS Certificate Manager, Apache, Nginx or Apache Solr. You will need to provide the private key as well as a bundle certificate comprising all the 4 certificates. The bundle certificate can be created using a text editor by simply copying and pasting the contents of the 4 certificates into a new file, e.g. STAR_example_com_fullchain.pem, but the order is important. The 1st certificate should be the primary certificate issued for the domain *.example.com, followed by the original issuer (in this case Sectigo), the intermediate CAs and finally the root certificate.

And last but not least, the steps for renewing an SSL certificate (example below is for a wildcard SSL certificate, e.g. *.example.com):

  1. Login to the website of your favourite SSL certificate issuer/provider.
  2. Purchase the wildcard SSL certificate. This typically covers one primary domain and unlimited subdomains. Note that this is different from an SSL certificate for multiple domains/websites. Different providers may label their products differently.
  3. Choose 1 year. If you have currently more than a year of validity on your SSL certificate, stop here and read the 1st paragraph.
  4. For the primary domain, key in: *.example.com
  5. After payment, go to the dashboard and you will be asked to provide a Certificate Signing Request (CSR).

    • Run this command to generate a new private key and a new CSR (you will be asked some questions): openssl req -nodes -newkey rsa:2048 -sha256 -keyout STAR_example_com_2048.key -out STAR_example_com.csr
    • For the “Common Name” question, key in: *.example.com
    • Submit the CSR, typically by pasting the contents of the .csr file.
    • Save both the private key and CSR file!
  6. You will be asked to verify ownership of the domain. Choose whichever method is most convenient for you.
  7. Upon completion, you will receive the SSL certificate via email. Run the following commands to check that the private key and CSR match the certificate – the output hashes from the 3 commands must be exactly the same.

          openssl pkey -in STAR_example_com.key -pubout -outform pem | sha256sum
      openssl x509 -in STAR_example_com.crt -pubkey -noout -outform pem | sha256sum
      openssl req -in STAR_example_com.csr -pubkey -noout -outform pem | sha256sum
  8. To check the validity period of the SSL certificate, run openssl x509 -noout -in STAR_example_com.crt -dates
  9. To list the domains in the SSL certificate, run cat STAR_example_com.crt | openssl x509 -text | grep DNS
  10. Check the order of your certificates after you have created the certificate chain. The certificate chain is one used for installation, not just the primary domain certificate.

          ## Run this command on the primary certificate issued for the domain
      openssl crl2pkcs7 -nocrl -certfile STAR_example_com.crt | openssl pkcs7 -print_certs -noout
      
      ## Sample output for the command above
      # subject=/CN=*.example.com
      # issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
      
      ## Run this command on the certificate chain you created
      openssl crl2pkcs7 -nocrl -certfile STAR_example_com_fullchain.pem | openssl pkcs7 -print_certs -noout
      
      ## Sample output for the command above - the issuer for the 1st cert should be the subject for the 2nd cert, etc.
      # subject=/CN=*.example.com
      # issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
      # 
      # subject=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
      # issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
      # 
      # subject=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
      # issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
      # 
      # subject=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
      # issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

References:

  1. Commands for verifying the validity of an SSL certificate
  2. Creating a .pem File for SSL Certificate Installations
  3. What is SSL Certificate Chain