Knowledge Base

How to move a certificate between Apache web servers

It often happens that one SSL certificate is used on multiple servers. This is quite a common practice for Wildcard or Multi-Domain certificates, or for large websites that use load balancing, which distributes the site load across multiple servers. Even a basic single-domain certificate can be used this way, in case it's installed on multiple servers.

All Comodo SSL certificates we offer are licensed for the unlimited number of physical servers.

This guide explains how to move certificate files from one Apache web server to another.

Exporting certificate files from an Apache server is as easy as backing up all the necessary files needed for the SSL installation.

Those are:

  • Your domain certificate
  • Private Key
  • CA Bundle

The most convenient way to locate the exact file directories is by checking the < virtualhost > section in your main Apache configuration file:

  1. Open your Apache configuration file being used for SSL. Usually, this is a common .conf file (this includes, but is not limited to httpd.conf, apache2.conf or ssl.conf).
    Default installation layouts for Apache HTTPD on various operating systems and distributions are listed here.

    Note:Some instances of Apache may have multiple configuration files, but only one of these configuration files can be used for SSL. All other configuration files that have SSL directives must be commented out.


  2. Locate the < virtualhost > section where you have configured the SSL initially. The following command can be used as a 'search' option:

    search

  3. Within the < virtualhost > block, find the following directives:

    virtual_host

    • 'SSLCertificateFile' directive shows the path to your domain's certificate file.
      Example: SSLCertificateFile /etc/httpd/conf/ssl/certificate.crt
    • 'SSLCertificateKeyFile' leads to the Private Key file associated with your certificate file.
      Example: SSLCertificateKeyFile /etc/httpd/conf/key/private.key
    • 'SSLCertificateChainFile' directive shows the location of the CA Bundle or Certificate Authority Chain file.
      Example: SSLCertificateChainFile /etc/httpd/conf/ssl/bundle.crt

    The certificate chain is a number of certificates, called Intermediate, that connect end-user certificate to Certificate Authority Root by signing one another. The last certificate in chain (Root) should be matched to its copy in browser storage for domain certificate to be trusted.

    Important! 'SSLCertificateChainFile' became obsolete with Apache version 2.4.8, when 'SSLCertificateFile' was extended to also load intermediate CA certificates from the server certificate file.

    Note: In some instances of Apache there may be 'SSLCACertificateFile' directive instead.


  4. Copy those files and you are ready for the next Apache installation.

Another way to have your certificate files backed up and transported from one server to another on the safe side is by creating a PFX backup file.

The PKCS#12 (.pfx) file format includes the private key, the domain's certificate and the bundle pieced together as a single backup file secured with a password.

In order to create a PFX backup file on your Apache web-server, run the following command in the terminal:

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile bundle.crt

Where 'certificate.pfx' is your PKCS#12 (.pfx) backup file, 'privatekey.key' is the key file associated with your certificate, 'certificate.crt' your domain certificate and 'bundle.crt' is the Certificate Authority chain file.

At the next step you will be asked to enter the password:

password

Important! Keep in mind the export password you have entered, otherwise you won't be able to extract the SSL files.

Note: Exported .pfx file can be used to import the certificate, private key and bundle not only into another Apache instance, but to any other Windows- or Java-based system.

Extracting certificate files.

  1. To extract the files from a [*.pfx] backup, run this command on the server you are importing the certificate to and enter your export password:

    openssl pkcs12 -in certificate.pfx -out certificate.crt -nodes

    'certificate.crt' will contain a PEM encoded key, certificate and chain.

  2. Open 'certificate.crt' with text editor and locate the aforementioned files inside.
  3. Copy the Private Key file and save it as 'private.key'.

    It will look like:

    -----BEGIN RSA PRIVATE KEY-----
    [encoded data]
    -----END RSA PRIVATE KEY-----

  4. Copy the certificate file and save it as 'your_domain_name.crt'.

    It will look like:

    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----

  5. Copy the rest of certificates and save them as 'bundle.crt'.

    The bundle will look like a chain:

    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----


  6. Now you have all the necessary files needed for the SSL installation.

For detailed instructions on how to install SSL certificates for Apache web server, please refer to our Apache installation guide.