Reading Time: 9 minutes

Why do I Need to Install or Reinstall My SSL Certificate?

According to Globalsign;

The Certificate Authority (CA) industry was alerted of compliance implications related to the inclusion of a specific extension (OCSP-signing extended key usage) in CA certificates which has, under certain conditions, unintended compliance and security implications. A number of GlobalSign Issuing CAs have been impacted by this issue. While no key compromise or security incident has taken place, we will be revoking these Issuing CA’s as part of our remediation plan in accordance with the CA/B Forum Baseline Requirements and the GlobalSign CPS. Revoked intermediate certificates can cause errors in the validation of certificates signed by these Intermediate Certificates.

So, What Exactly Does This Mean?

It means that one of the base certs which validates your SSL certificate was found to have had a flaw. Although no security issues have been seen, Globalsign has opted’d to revoke that base certificate as a precautionary measure to ensure no compromises affect its clients. 

What is the Next Step?

Basically, Globalsign is asking you to search your server for any affected certificates and either replace or reissue them using the steps outlined below by them. 

Reissuing an SSL Certificate

Globalsign has asked clients affected by this issue to take the following steps.
1. Search For Impacted Certificates at GlobalSign
2. Reissue any affected SSL Certificates
3. Install New Certificates (select the server type on this page, e.g., Apache, Nginx, IIS)

What if I Need a New SSL Certificate?

In that case, we have outlined the steps below you need to take to install a new SSL certificate

Obtaining a New SSL Certificate

In order to create a new SSL certificate, we must follow these steps.

1. Generate a CSR — Create a new Certificate Signing Request

2. Purchase a Certificate — Send the CSR to GlobalSign, pay for the order, they then vet the info and provide a signed certificate.

3. Install the Certificate — Typically, this falls under the Apache configuration.

Below, we provide greater detail to accomplish this task on both Core Managed CentOS and Unmanaged Ubuntu Servers

To obtain a new SSL certificate, you must first generate a CSR or Certificate Signing Request. Next, you must submit your CSR to GlobalSign the get a new SSL. Once you have ordered your certificate and the vetting process is complete, you are now ready to install your certificate. You can obtain a copy of your certificate at any time via your GlobalSign Certificate Center (GCC) account. It will also be emailed to you as well. 

Before installing your SSL certificate, you will need to ensure you have two other certificates provided by Globalsign installed. These additional certificates, which can be downloaded here, are known as intermediate certificates and are linked to GlobalSign’s root certificate. These intermediate certificates are needed to ensure your clients’ browsers trust the SSL certificate you are installing.

Generate a CSR Certificate

First, let’s check whether Apache has the SSL module enabled. 

root@host3:~# a2enmod ssl 

Next, we need to restart apache to initiate the module.

root@host3:~# systemctl restart apache2 

We begin by generating a CSR to send to GlobalSign for your SSL using this command. (replace mydomain with your domain name)

openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/private/mydomain.csr
root@host3:~# openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/mydomain.key -out /etc/ssl/private/mydomain.csr
Generating a RSA private key
writing new private key to '/etc/ssl/private/mydomain.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Detroit
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Liquid Web Inc.
Organizational Unit Name (eg, section) []:Marketing
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234567890
An optional company name []:

You will be prompted to answer a series of questions, as noted below.

  • Country NameThis is the two-letter abbreviation for your country. For example, United States would be US and Great Britain would be GB.
  • State or Province NameThis is the full name of the state your organization operates from. For example, this might be “California” or “Michigan.”
  • Locality NameName of the city your organization operates from. Examples might include “Lansing” or “Phoenix”. Don’t use abbreviations in this field. For example, “St. Helena” should be “Saint Helena."
  • Organization NameThe name of your organization. If you are a business, use must use your legal name. If you are applying as an individual, you use your full name instead.
  • Organizational Unit Name If applying as a business, you can enter your “Doing Business As” (DBA) name here. Alternately, you can use a department name here. For example, “IT Department” or “Web Administration.”
  • Common NameThe domain name that you are purchasing a SSL certificate for. This must be a fully qualified domain name (FQDN). An example might be
  • Email AddressAn email address that can be used as a point of contact for your domain. Be sure the address is valid!
  • A challenge passwordAn optional password to further secure your certificate. Be sure to remember this password if you choose to use it. It must be at least 4 characters long. You can skip this step if you like.
  • An optional company nameAnother optional step. Fill in your company name if you wish. This is not required for web SSL certificates.

Key and CSR Files

In the /etc/ssl/private/ directory, you should see two new files. 

  • mydomain.csr
  • mydomain.key
root@host3:/etc/ssl/private# ll
total 20
drwx--x--- 2 root ssl-cert 4096 Dec 18 15:40 ./
drwxr-xr-x 4 root root     4096 Apr 24  2020 ../
-rw-r--r-- 1 root root     1119 Dec 18 15:40 mydomain.csr
-rw------- 1 root root     1704 Dec 18 15:39 mydomain.key

The .key file should be kept private on your server. The .csr file is your new certificate signing request. This file contains the information that will be sent to a Certificate Authority. You can inspect the contents of the CSR by using the “cat” command.

root@host3:/etc/ssl/private# cat mydomain.csr


You will need to copy and paste the entire contents of the CSR file to your Certificate Authority when ordering a new SSL certificate. Be sure to include the lines that read 




Order a New SSL Certificate

You can now order a new SSL from within your Manage Dashboard. Select Add and then SSL Certificate.


Next, choose the manual option and paste in the csr that was generated above.


Lastly, click the Purchase SSL Certificate button.


Install The Certificate

To install the certificate when it arrives, copy the certificates into the typical location for these files – /etc/httpd/ssl folder on your server. This includes your server certificate, private key, and an intermediate certificate. Your server certificate can be obtained from the delivery e-mail. 

Next, open your Apache configuration file for editing. This will generally be found in the following locations in Ubuntu.

root@host3:~# vim /etc/httpd/httpd.conf

Now, configure your virtual host to use the certificates. Locate the virtual host for your site in the httpd.conf file. It should look like the example below.

     DocumentRoot /var/www/examplesite
     SSLEngine on
     SSLCertificateFile /path/to/examplesite.crt
     SSLCertificateKeyFile /path/to/privatekey.key
     SSLCertificateChainFile /path/to/intermediate.crt

Point the following directives to the corresponding certificate located in the /etc/ folder.

In Ubuntu, you can add new Apache config files into the /etc/apache2/sites-available/ folder, and they will load when Apache is reloaded or restarted the next time.

SSLCertificateFile — This should point to your server certificate.
SSLCertificateKeyFile — This should point to your server's private key.
SSLCertificateChainFile — This should point to the intermediate certificate for your product.

Next, we will test our updated configuration. Depending on your system, run the command:

root@host3:~# apachectl configtest 


root@host3:~# apache2ctl configtest

This will detect any errors in your configuration such as mismatched public and private keys, or an incorrect path.

Finally, restart Apache.

root@host3:~#systemctl restart apache2

Create a New Self Signed SSL Certificate

To create a Self-Signed SSL Certificate on Ubuntu, follow these commands.
First let’s check whether Apache has the SSL module enabled. 

[root@host3 ~]# apachectl -M | grep ssl
[root@host3 ~]# 

If it does not have this module installed, we can install it using this command.

[root@host3 ~]# a2enmod ssl

Next, we restart apache so the server recognizes the changes.

root@host3:~#systemctl restart apache2

To verify the module is in place, we will rerun the command.

root@host3:~# apachectl -M | grep ssl
  ssl_module (shared)

Now, we will create a new folder to store our private key.

[root@host2 ~]# mkdir /etc/httpd/ssl

Since the files stored within this directory must be kept private, we modify the folder permissions to ensure the root user is the only one who has access.

[root@host2 ~]# chmod 700 /etc/ssl/private

Create a CSR

Next, we will create the SSL key and certificate files using the openssl command. When creating a new CSR, you will be prompted for a series of questions regarding the information about the domain you are creating. Run the following command to begin. 

[root@host2 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/private/apache.crt

 Generating a RSA private key
 writing new private key to '/etc/ssl/private/apache.key'
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:Michigan
 Locality Name (eg, city) []:Lansing
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Liquid Web Inc.
 Organizational Unit Name (eg, section) []:Marketing
 Common Name (e.g. server FQDN or YOUR name) []
 Email Address []

Create Website

Now, let’s quickly create a new folder for a test website in /var/www/ by running the following command.

[root@host3 ~]# mkdir /var/www/g33k

Now that we have a directory for our site, we will add a basic HTML file. Next, we will cd into our new created folder and create a file.

[root@host3 ~]# cd /var/www/g33k/
[root@host3 ~]# vim index.html

Paste the following code in the index.html file

     <p> is now secure!</p>

Using this, we can now configure our virtual hosts entry.

Add the Self-Signed SSL Certificate to Apache

Because Apache comes with a default VirtualHost file called 000-default.conf, we will use that as our configuration template file. Next, we copy the template file to a new file called g33k.conf. Then we will edit the file.

[root@host3 ~]# cp 000-default.conf g33k.conf
[root@host3 ~]# vim /etc/apache2/sites-available/g33k.conf

In this file, we should modify the following entries.

DocumentRoot /var/www/g33k/ServerName

This ensures that visitors will reach the correct website instead of the default page when they type in

Configure Virtual Hosts

Next, we will activate the virtual hosts config file by running the following command inside the configuration file directory.

[root@host3 ~]# a2ensite g33k.conf
Enabling site
 To activate the new configuration, you need to run:
   systemctl reload apache2
 root@host3:/etc/apache2/sites-available# systemctl reload apache2.service
 <VirtualHost _default_:443>


 <VirtualHost _default_:443>

Note: The domain should be the same as the “Common Name” specified in the step above. 

Now, verify that the following variables are set appropriately within the same file: 

SSLEngine on SSLCertificateFile /etc/ssl/private/apache.crt 
SSLCertificateKeyFile /etc/ssl/private/apache.key

Finally, ensure you add the file locations where the SSL files can be located. Then exit and save the file with the :wq command.

Next, restart Apache.

SSL is working


Your web browser will most likely show the warning triangle in the browsers address bar stating that the website’s security certificate is not trusted. This is normal because our certificate is not signed by a known CA (certificate authority) like Thawte or GlobalSign. This warning simply means it is unable to verify the identity of the server that you are trying to connect to. We created a self-signed certificate instead of a trusted CA-signed certificate, so this makes perfect sense.

As you can see, the information we added in our certificate is plainly visible. Once you add an exception to the browser’s identity verification, you will be allowed to proceed to your newly secured site.


Replacing an SSL on a core managed or unmanaged server is often time-consuming and adds a layer of complexity to an already complicated system. SSL are a necessity when dealing with todays’ security conscious client. Demonstrating that you take security seriously only aids in providing a higher level of trust.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

Our Support teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

If you are a Fully Managed VPS serverCloud DedicatedVMWare Private CloudPrivate Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Have Some Questions?

Our Sales and Support teams are available 24 hours by phone or e-mail to assist.


Latest Articles

What is a Webhook?

Read Article

Microsoft Exchange Server Security Update

Read Article

How to Monitor Your Server in WHM

Read Article

How to Monitor Your Server in WHM

Read Article

How to Fix Typical WordPress Errors

Read Article