Sectigo / Comodo Certificate renewal

So, its time for your SSL certificate renewal. You need to generate a new Certificate Signing Request (CSR) using OpenSSL w/ Apache + mod_ssl together with your Public Key and submit these to Sectigo or your favorite third party SSL vendor.

To generate your keys and certificate on your CentOS server using command line:

# openssl req -nodes -newkey rsa:2048 -keyout domain.key -out yourdomain.csr

These will generate two files: domain.key which is your private key and yourdomain.csr which is your CSR.

The extra attributes can be left blank particularly if this is a domain SSL certificate, else you need to supply the password every time you start Apache.

Submit and pay your renewal fees and wait for them to email your certificates.

You will be receiving these following certificates:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – USERTrustRSAAddTrustCA.crt
  • Intermediate CA Certificate – SectigoRSAOrganizationValidationSecureServerCA.crt
  • Your PremiumSSL Certificate –

Make a bundle file from all your CRT files:

# cat SectigoRSAOrganizationValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt AddTRustExternalCARoot.crt >> 2019_ssl_sectigo.crt

Update your apache.conf file under <VirtualHost> section with the new certificate files then restart your web server.

Leave a Reply

Your email address will not be published. Required fields are marked *