Reading Time: 8 minutes

Why do I Need to Install or Reinstall My SSL Certificate?

According to Globalsign

The Certificate Authority (CA) industry was alerted of compliance implications related to the inclusion of a specific extension (OCSP-signing extended key usage) in CA certificates which has, under certain conditions, unintended compliance and security implications. A number of GlobalSign Issuing CAs have been impacted by this issue. While no key compromise or security incident has taken place, we will be revoking these Issuing CA’s as part of our remediation plan in accordance with the CA/B Forum Baseline Requirements and the GlobalSign CPS. Revoked intermediate certificates can cause errors in the validation of certificates signed by these Intermediate Certificates.

So, What Exactly Does This Mean?

It means that one of the base certs which validates your SSL certificate was found to have had a flaw. Although no security issues have been seen, GlobalSign has opted to revoke that base certificate as a precautionary measure to ensure no compromises affect its clients. 

What is the Next Step?

GlobalSign is asking you to search your server for any affected certificates and either replace or reissue them using the steps outlined by GS below. 

Reissuing an Existing SSL Certificate

Globalsign has asked clients affected by this issue to take the following steps.
1. Search For Impacted Certificates at GlobalSign
2. Reissue any affected SSL Certificates
3. Install New Certificates (select the server type on this page, e.g., Apache, Nginx, IIS)

What if I Need a New SSL Certificate?

In that case, we have outlined the steps below you need to take to install a new SSL certificate

Obtaining a New SSL Certificate

In order to create a new SSL certificate, we must follow these steps.

1. Generate a CSR — Create a new Certificate Signing Request.

2. Purchase a Certificate — Send the CSR to GlobalSign and pay for the order. They then vet the info and provide a signed certificate.

3. Install the Certificate — We then install the SSL on the server. Typically, this falls under the Apache configuration.

Below, we provide greater detail to accomplish this task on both Core Managed CentOS and Unmanaged CentOS Servers

To obtain a new SSL certificate, you must first generate a CSR or Certificate Signing Request. Next, you must submit your CSR to GlobalSign the get a new SSL. Once you have ordered your certificate and the vetting process is complete, you are now ready to install your certificate. You can obtain a copy of your certificate at any time via your GlobalSign Certificate Center (GCC) account. It will also be emailed to you as well. 

Before installing your SSL certificate, you will need to ensure you have two other certificates provided by Globalsign installed. These additional certificates, which can be downloaded here, are known as intermediate certificates and are linked to GlobalSign’s root certificate. These intermediate certificates are needed to ensure your clients’ browsers trust the SSL certificate you are installing.

Generate a CSR Certificate

We begin by generating a CSR to send to GlobalSign for your SSL using this command.

openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/private/mydomain.csr

(replacing “mydomain” with your domain name)

You will be prompted to answer a series of questions, noted below.

  • Country NameThis is the two-letter abbreviation for your country. For example, United States would be US, and Great Britain would be GB.
  • State or Province NameThis is the full name of the state your organization operates from. For example, this might be “California” or “Michigan.”
  • Locality NameName of the city your organization operates from. Examples might include “Lansing” or “Phoenix.” Don’t use abbreviations in this field. For example, “St. Helena” should be “Saint Helena.”
  • Organization NameThe name of your organization. If you are a business, use must use your legal name. If you are applying as an individual, you use your full name instead.
  • Organizational Unit Name If applying as a business, you can enter your “Doing Business As” (DBA) name here. Alternatively, you can use a department name here. For example, “IT Department” or “Web Administration.”
  • Common NameThe domain name that you are purchasing an SSL certificate for. This must be a fully qualified domain name (FQDN). An example might be
  • Email AddressAn email address that can be used as a point of contact for your domain. Be sure the address is valid!
  • A challenge passwordAn optional password to further secure your certificate. Be sure to remember this password if you choose to use it. It must be at least four characters long. You can skip this step if you like.
  • An optional company nameAnother optional step. Fill in your company name if you wish. This is not required for web SSL certificates.

Key and CSR Files

In the current directory, you should see two new files. 

  • mydomain.csr
  • mydomain.key

The .key file should be kept private on your server. The .csr file is your new certificate signing request. This file contains the information that will be sent to a Certificate Authority. You can inspect the contents of the CSR by using the “cat” command.

cat mydomain.csr


You will need to copy and paste the entire contents of the CSR file to your Certificate Authority when ordering a new SSL certificate. Be sure to include the lines that read 




Order a New SSL Certificate

You can now order a new SSL from within your Manage Dashboard. Select Add and then SSL Certificate.


Next, choose the manual option and paste in the csr that was generated above.


Lastly, click the Purchase SSL Certificate button.


Install the SSL Certificate

To install the certificate when it arrives, copy the certificates into the typical location for these files - /etc/httpd/ssl folder on your server. This includes your server certificate, private key, and an intermediate certificate. Your server certificate can be obtained from the delivery e-mail. 

Next, open your Apache configuration file for editing. This will generally be found in one of the following locations


Now, configure your virtual host to use the certificates. Locate the virtual host for your site in the httpd.conf file. It should look like the example below.

    DocumentRoot /var/www/examplesite
    SSLEngine on
    SSLCertificateFile /path/to/examplesite.crt
    SSLCertificateKeyFile /path/to/privatekey.key
    SSLCertificateChainFile /path/to/intermediate.crt

Point the following directives to the corresponding certificate located in the /etc/httpd/ssl folder.

SSLCertificateFile — This should point to your server certificate.
SSLCertificateKeyFile — This should point to your server's private key.
SSLCertificateChainFile — This should point to the intermediate certificate for your product.

Test your updated configuration by running the following command.

[root@host2 ~]# apachectl configtest 


[root@host2 ~]# apache2ctl configtest

This will detect any errors in your configuration such as mismatched public and private keys, or an incorrect path.

Finally, restart Apache

[root@host2 ~]# systemctl restart httpd.service

Create a New Self Signed SSL Certificate

To create a Self-Signed SSL Certificate on CentOS, follow these commands.

First let’s check whether Apache has the SSL module enabled. 

 [root@host2 ~]# apachectl -M | grep ssl
 [root@host2 ~]#  

If it does not have this module installed, we can install it using this command.

[root@host2 ~]# yum -y install mod_ssl

Next, we restart apache so the server recognizes the changes.

[root@host2 ~]# service httpd restart

In verifying the module is now in place, we will rerun the command.

 [root@host2 ~]# apachectl -M | grep ssl
  ssl_module (shared) 

Now, we will create a new folder to store our private key.

[root@host2 ~]# mkdir /etc/httpd/ssl

Since the files stored within this directory must be kept private, we modify the folder permissions to ensure the root user is the only one who has access.

[root@host2 ~]# chmod 700 /etc/ssl/private

Create a CSR

Next, we will create the SSL key and certificate files using the openssl command. When creating a new CSR, you will be prompted for a series of questions regarding the information about the domain you are creating. Run the following command to begin. 

[root@host2 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

Generating a RSA private key
writing new private key to '/etc/httpd/ssl/apache.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Michigan
Locality Name (eg, city) [Default City]:Lansing
Organization Name (eg, company) [Default Company Ltd]:Liquid Web Inc.
Organizational Unit Name (eg, section) []:Marketing
Common Name (eg, your name or your server's hostname) []
Email Address []
[root@host2 ~]# 

Add the Self-Signed SSL Certificate to Apache

Next, we add the new certificate locations to our ssl.conf file to display the new SSL correctly. 

vim /etc/httpd/conf.d/ssl.conf

Find the section titled: “VirtualHost _default_:443” and add the following Virtual Host configuration on the next line. (on my server this section begins on line 40 on the default ssl.conf file)

 <VirtualHost _default_:443>


 <VirtualHost _default_:443>

Note: The domain should be the same as the “Common Name” specified in the step above. 

Now, verify that the following variables are set appropriately within the same file: 

SSLEngine on SSLCertificateFile /etc/httpd/ssl/apache.crt 
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Make sure you add the file locations where the files can be located. Then exit and save the file with the command :wq.

Next, restart Apache

 [root@host2 ~]# systemctl restart httpd.service
 [root@host2 ~]# 

Finally, test your updated configuration by running the following command.

apachectl configtest 


apache2ctl configtest

The output should be similar to the following.

 . . .
 Syntax OK 

This will detect any errors in your configuration such as mismatched public and private keys, or an incorrect path.

Finally, restart Apache again.

[root@host2 ~]# systemctl restart httpd.service


Open a web browser, and browse to the domain name or IP using https:// to verify the new certificate is active.

Your web browser will most likely show a warning that the website’s security certificate is not trusted. This is normal because our certificate is not signed by a known CA (certificate authority) like Thawte or GlobalSign. This warning simply means it is unable to verify the identity of the server that you are trying to connect to. We created a self-signed certificate instead of a trusted CA-signed certificate, so this makes perfect sense.

Once you add an exception to the browser’s identity verification, you will be allowed to proceed to your newly secured site.


Replacing an SSL on a core managed or unmanaged server is often time-consuming and adds a layer of complexity to an already complicated system. SSL are a necessity when dealing with today's' security conscious client. Demonstrating that you take security seriously only aids in providing a higher level of trust.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

Our Support teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

How to use kill commands in Linux

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change the root password in WebHost Manager (WHM)

Read Article