SSL CSR Change Guide

TL;DR

You generally can’t directly *change* an existing Certificate Signing Request (CSR). You need to create a new one. This guide explains how, and what to do with it.

Changing Your SSL CSR: A Step-by-Step Guide

1. Understand Why You Need a New CSR
   • Incorrect Information: The most common reason. If the domain name, organisation details or other information is wrong in your current CSR, you need to generate a new one.
   • Key Compromise: If you suspect your private key has been compromised, create a new CSR with a new key pair immediately.
   • Server Change: Moving your SSL certificate to a different server often requires a new CSR because of differences in the server configuration.
2. Generate a New CSR on Your Server
   The process varies depending on your web server software.
   • Apache: Use OpenSSL directly or tools like certutil.

     openssl req -new -key private.key -out csr.csr

     Follow the prompts to enter your details (Common Name is crucial – this *must* match your domain name).

   • NGINX: Typically, you’ll use OpenSSL.

     openssl req -new -key nginx.key -out nginx.csr

     Again, pay close attention to the Common Name prompt.

   • IIS (Windows Server): Use the IIS Manager.
     • Open IIS Manager.
     • Select your server in the Connections pane.
     • Double-click ‘Server Certificates’.
     • Click ‘Create Certificate Request’ in the Actions pane.
     • Fill out the form and save the CSR file.
3. Verify Your New CSR

   Before submitting, check your new CSR to ensure it contains correct information.

   openssl req -text -noout -in csr.csr

   Review the output carefully, especially the ‘Subject’ field (Common Name and Organisation details).

4. Submit Your New CSR to Your Certificate Authority (CA)
   • Log in to your CA’s control panel.
   • Find the section for requesting a new certificate or replacing an existing one.
   • Paste the *entire* contents of your new CSR file into the provided field. Make sure you copy everything, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.
5. Download and Install Your New Certificate
   • Once your CA validates the CSR (this may involve email verification), they will issue you a new certificate file.
   • Follow your CA’s instructions to download the certificate.
   • Install the new certificate on your web server, along with any intermediate certificates provided by the CA. The installation process varies depending on your server software (Apache, NGINX, IIS etc.).
6. Remove Old Certificates

   After confirming that the new certificate is working correctly, remove the old SSL certificate and associated private key from your server. This improves cyber security.