Reputation: 870
What is the best practice to make a switch from last year's SSL certificate to the next year's? Is it possible to declare both certificates in the enabled site config for the same site/ip?
If I have to make the switch manually the minute before cert expires, then are there any scripts or tips to make it automatic in Linux (ubuntu)?
I have a standard setup with VirtualHost that declares current certs
SSLEngine on
SSLCertificateFile ...crt.2012
SSLCertificateKeyFile ...key.2012
Upvotes: 2
Views: 161
Reputation: 4853
You generally want your new certificate to have a validity period beginning some time before the end of validity of the old one. That way, you have the time to change the SSLCertificateFile (and SSLCertificateKeyFile if needed), do a graceful reload and test. If something does not work fine, you can do a rollback (as the old certificate is still valid) and maybe have a new certificate issued if need be.
Upvotes: 2