SSL Key Backup Guide

TL;DR

Back up your SSL private key immediately and store it securely offline. This guide shows you how to do this, covering finding the key, creating a backup, and securing that backup.

1. Locate Your SSL Private Key

Your private key is usually stored alongside your certificate file. The location depends on where you installed your SSL certificate. Common places include:

• Apache: /etc/apache2/sites-available/ or /var/www/yourdomain.com/ssl/
• Nginx: /etc/nginx/conf.d/ or /var/www/yourdomain.com/ssl/
• cPanel/WHM: Usually accessible through the File Manager, often in a directory like /home/username/ssl/

The private key file typically has a name similar to private.key or yourdomain.com.key and is a plain text file.

Important: Do not share your private key with anyone!

2. Create a Backup of Your Key

Once you’ve found the key, create a backup copy. You can do this using command-line tools or file management software.

Using Command Line (Linux/macOS)

cp /path/to/your/private.key /path/to/backup/directory/private.key.bak

Replace /path/to/your/private.key with the actual path to your key file and /path/to/backup/directory/ with a secure backup location.

Using File Manager (cPanel, Plesk etc.)

1. Navigate to the directory containing your private key using the file manager.
2. Select the private key file.
3. Choose ‘Copy’ or ‘Download’.
4. Paste or save the copy in a secure backup location.

3. Secure Your Backup

A plain text private key is extremely sensitive. Follow these steps to protect it:

• Encryption: Encrypt the backup file with a strong password using tools like OpenSSL or GPG.

  openssl enc -aes-256-cbc -salt -in private.key.bak -out private.key.enc

  You will be prompted for a passphrase (password). Remember this passphrase!

• Offline Storage: Store the encrypted backup file on an offline medium, such as:
  • USB drive (kept in a secure location)
  • External hard drive (kept in a secure location)
  • Printed copy (for extreme security – but difficult to restore from!)
• Multiple Backups: Create multiple backups and store them in different locations.
• Regular Testing: Periodically test your backup process by attempting a restoration to ensure it works correctly.

4. Consider Using a Password Manager

If you’re comfortable with password managers, some allow secure storage of files. However, be sure the password manager uses strong encryption and has a good security reputation.

5. Revoke Compromised Certificates (if needed)

If you suspect your private key has been compromised, immediately revoke the associated SSL certificate through your Certificate Authority (CA). Then, request a new certificate.