How to move a certificate between Apache web servers

It often happens that one SSL certificate is used on multiple servers. This is quite a common practice for Wildcard or Multi-Domain certificates, or for large websites that use load balancing, which distributes the site load across multiple servers. Even a basic single-domain certificate can be used this way, in case it’s installed on multiple servers.

All SSL certificates that we offer are licensed for the unlimited number of physical servers. This guide explains how to move certificate files from one Apache web server to another.

Exporting certificate files from an Apache server is as easy as backing up all the necessary files needed for the SSL installation.

Those are:

  • Your domain certificate (your_domain_name.crt file received from Certificate Authority (CA))
  • Private Key (your_domain_name.key file generated together with CSR code on the server)
  • CA Bundle (your_domain_name.ca_bundle file or several .crt files received from the CA)

Option 1

The most convenient way to locate the exact file directories is by checking the VirtualHost section in your main Apache configuration file:

  1. Open your Apache configuration file being used for SSL. Usually, this is a common .conf file (this includes, but is not limited to httpd.conf, apache2.conf or ssl.conf).
    Default installation layouts for Apache HTTPD on various operating systems and distributions are listed here.

    Note: Some instances of Apache may have multiple configuration files, but only one of these configuration files can be used for SSL. All other configuration files that have SSL directives must be commented out.

  2. Locate the VirtualHost section where you have configured the SSL initially. The following command can be used as a search option:

    find / -type f -name '*\.conf' -exec grep -il "SSLCertificateFile" {} \;

  3. Within the VirtualHost block, find the following directives:

    <VirtualHost [IP="ADDRESS"]:443
    ...
    SSLCertificateFile /absolute/path/to/your_domain_name.crt
    SSLCertificateKeyFile /absolute/path/to/your_domain_name.key
    SSLCertificateChainFile /absolute/path/to/your_domain_name.ca_bundle
    ...
    </VirtualHost>


    • SSLCertificateFile directive shows the path to your domain’s certificate file.
      Example: SSLCertificateFile /etc/httpd/conf/ssl/certificate.crt
    • SSLCertificateKeyFile leads to the Private Key file associated with your certificate file.
      Example: SSLCertificateKeyFile /etc/httpd/conf/key/private.key
    • SSLCertificateChainFile directive shows the location of the CA Bundle or Certificate Authority Chain file.
      Example: SSLCertificateChainFile /etc/httpd/conf/ssl/bundle.crt

    The certificate chain is a number of certificates, called Intermediate, that connect end-user certificate to Certificate Authority Root by signing one another. The last certificate in chain (Root) should be matched to its copy in browser storage for domain certificate to be trusted.

    Important!SSLCertificateChainFile became obsolete with Apache version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

    Note: In some instances of Apache there may be SSLCACertificateFile directive instead.

  4. Copy those files and you are ready for the next Apache installation.

Option 2

 Another way to have your certificate files backed up and transported from one server to another on the safe side is by creating a PFX backup file.

The PKCS#12 (.pfx) file format includes the private key, the domain’s certificate and the bundle pieced together as a single backup file secured with a password.

In order to create a PFX backup file on your Apache web-server, run the following command in the terminal:

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile bundle.crt

Where certificate.pfx is your PKCS#12 (.pfx) backup file, privatekey.key is the key file associated with your certificate, certificate.crt your domain certificate and bundle.crt is the Certificate Authority chain file.

At the next step you will be asked to enter the password:

export_apache_01

Important! Keep in mind the export password you have entered, otherwise you won’t be able to extract the SSL files.

Note: Exported .pfx file can be used to import the certificate, private key and bundle not only into another Apache instance, but to any other Windows- or Java-based system.

Extracting certificate files

  1. To extract the files from a [*.pfx] backup, run this command on the server you are importing the certificate to and enter your export password:

    openssl pkcs12 -in certificate.pfx -out certificate.crt –nodes

    Where certificate.crt will contain a PEM encoded key, certificate and chain.

  2. Open certificate.crt with text editor and locate the aforementioned files inside.
  3. Copy the Private Key file and save it as private.key.

    It will look like:

    -----BEGIN RSA PRIVATE KEY-----
    [encoded data]
    -----END RSA PRIVATE KEY-----

  4. Copy the certificate file and save it as your_domain_name.crt.

    It will look like:

    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----

  5. Copy the rest of certificates and save them as bundle.crt.

    The bundle will look like a chain:

    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [encoded data]
    -----END CERTIFICATE-----


  6. Now you have all the necessary files needed for the SSL installation.

For detailed instructions on how to install SSL certificates for Apache web server, please refer to our Apache installation guide.

Updated
Viewed
28557 times

Need help? We're always here for you.

notmyip