• 7
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

My company is revamping their website and subdomains with a new platform which requires us to upgrade to a more performant LAMP server. That being said, I want to re-use the wildcard SSL that was originally created for use with our original LAMP stack.

My intention is to copy over the intermediate and primary certificates provided by our SSL authority to the new LAMP stack, update the Apache configuration files to make use of the new SSL cert and restart my web server.

Are there any security concerns I should be aware of when reusing an SSL cert like this? I just want to make sure that I'm not overlooking something crucial. Thanks.

First, let's clarify something: your certificates are public. Anyone can freely download them from your server. This is by design. The only file that needs to be kept truly private is the private key file that you generated when initially obtaining the certificate. Anyone that manages to get their hands on this file could potentially impersonate your service.

Now, to your question: other than ensuring that your private key is kept safe while transferring between hosts, there's nothing to worry about. If you're concerned about transferring the key and you want to be ultra paranoid, you can use gpg to encrypt the key before moving it, and then decrypt it on the new server.

  • 5
Reply Report
    • Though if you were really paranoid, you could probably use the re-key function available from most CAs to generate a new key/cert pair for the new host.
    • Thank you @EEAA! Does the process above invalidate the wildcard SSL on other subdomains/properties that may have been using it previously? I guess a different way to ask might be: If I rekey and regenerate the SSL, do I need to apply that newly generated SSL to the other sites?
    • This depends on your provider, but it's likely if you re-key, they will revoke any other certificates that have been issued for the old public key. You'd really just need to check with your certificate provider on this.

There is nothing fundamentally wrong with securely copying your old certificate & key, so long as you are certain you understand the distinction as @EEAA clarified.

Yet I believe it is reasonable to establish the practice of always re-keying (re-issue) the certificate when doing some sort of big move that dwarfs the extra setup steps. The following 3 are the security concerns you should be aware of when reusing your old key but are mitigated if you re-key instead:

  1. Starting clean + ease of mind: After installing on a fresh stack, you should simply not have to be concerned about potential previous breaches any more.
  2. Backups of the previous server should no longer be a liability in terms of losing the key in future breaches. (You still need to make sure that there are no backups of an older version lying around for other reasons than the key: often forgotten, because the server has moved since)
  3. New algorithms: afaik there currently is no relevant transition going on - but when the time comes again, it is likely that re-keying automatically updates you to the current set of constraints (extensions) & hash algorithms. SHA-1 sunset was much better than md5 deprecation, expect CAs to urge their customers to upgrade faster next time.

Most CAs allow you to generate a fresh certificate with a fresh key in a free self-service process - valid until your previous one would have expired, invalidating your old certificate soon after issuing the new one.

  • 1
Reply Report
    • Thank you! Does regenerating an SSL cert for the purposes of migrating to a new server invalidated any other sub-domains/properties that may be using the wildcard cert yet are hosted elsewhere?
      • 1
    • "may be using" sounds extremely dangerous. you should always have a list somewhere that says exactly which certificates, expiring when, are used where. in general, same certificate = same result when re-keying = unchanged instances go invalid everywhere, worldwide.

Trending Tags