Skip to content

Updating the SSL certificate

Jump to bottom Edit New page
Justin Uberti edited this page Feb 21, 2021 · 4 revisions

[Obsoleted by GCP's new SSL management services. Keeping around for now just to be safe, but this can probably be thrown away if we can make it to EOY 2021 without another manual cert update.]

Having invested a ridiculous amount of time getting this set up the past two years, wanted to write down the specific steps needed to update EPSchedule's SSL cert:

  1. Renew the cert on Namecheap.com. The new cert will show up in Namecheap as inactive.

  2. Generate a cert signing request locally using OpenSSL. You'll need to specify www.epschedule.com as the CN; for location I suggest US, WA, Kirkland.

     openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out request.csr

  3. Activate the cert on Namecheap, using the newly generated CSR. For domain verification, use email validation. Previously, I used domain validation, but it takes some amount of time for the DNS changes on Namecheap to go live, so I think email will be faster. info@epschedule.com currently forwards to justin@uberti.name; it's easy to add others from the dashboard page linked above.

  4. Namecheap will then send the new certs to justin@uberti.name; you can also download them from the dashboard page. These will be packaged in a zip file that includes the leaf cert and cert chain bundle.

  5. At this point the certificate should show up as active in the Namecheap dashboard.

  6. Concatenate the bundle to the leaf cert to make a complete cert chain:

      cat www_epschedule_com.crt > allcerts.crt
  cat www_epschedule_com.ca-bundle >> allcerts.crt

  7. Now it's time to upload the certs to GCP. From the GCP SSL settings page, click Upload a new certificate. For the public key certificate, use the allcerts.crt chain file from #5; for the private key, use the myserver.key file from #2; the cert name can be left as the default.

  8. At this point the new cert should be active on www.epschedule.com. The old cert can be deleted now.

  9. Last step is to double-check that everything got configured correctly. Head over to SSLChecker and point it at www.epschedule.com. If everything checks out, you're done... until next year.

Add a custom footer
Add a custom sidebar
Clone this wiki locally