How to add more domains to the MM UCC certs
This article is for anyone who is tasked with adding a new domain to one of the existing MM UCC certs and installing it on the server.
PART 1 – Adding SAN to the UCC SSL cert purchased via domains.peacefulmedia.com
- Go to http://domains.peacefulmedia.com/.
- Under “SSL & Security” click on “My SSL Certificates”
- Log-in with customer # and password (see MM cred sheet)
- On the relevant account entry under “SSL Certificates” (eg. dreambuilderprogram.com) click the “Launch” button
- You will be taken to “Secure Certificate Services” for this certificate.
- Click “Manage” and choose “Add or Remove SANs”
- In the “Manage UCC Certificate” dialog add as many domain names as needed. Don’t forget the “www” variant for all new domain names. On this dialog you also have the option of parsing a CSR if one has been generated from the host.
- Once the SAN’s have been added there will be an initial stage of “Initializing Certificate Request”. This can last up to an hour.
- The system will then email the Registrant and Administrative contacts for the CN domain (check WHOIS) and ask them to verify the domains. Contact those people and ask them to check their email and verify the domains you added.
- Once verified the a new certificate will show up in Certificate Member with status “Current”. The old certificate entry (prior to adding SANs) will also show as “Current” but will display “This certificate will be revoked within 72 hours.”
- Click the relevant cert and then click the “Download” button and download the correct bundle (cpanel) to your local machine.
PART 2 – Replacing/installing cert on server (via WHM)
- Unzip the “cpanel” cert bundle. Open up both “.crt” files in a text editor. Identify which file is which. The “certificate” itself is one cert block starting with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–. The “bundle” is usually multiple cert blocks in the same file. Thats how you can usually tell which is the cert vs the bundle. Both are important.
Log in to WHM on the relevant server as root.
In the search box type “SSL” and choose the option on the left that says “Install an SSL Certificate on a Domain”.
In the “domain” field type the domain you will be installing/replacing the cert for and click “Autofill By Domain”.
If a cert is already installed for that domain the details will be displayed in the fields below. If so then you will be REPLACING a cert. Otherwise you will be INSTALLING a cert.
A) REPLACING an existing domain cert
- Steps 1 – 5 have been followed above and the “Certificate”, “Private Key” and “Certificate Authority Bundle (optional)” are all populated.
- Copy and paste the entire contents of the “certificate” (non-bundle) .crt file (eg. 27b1f3309f9fed.crt) into the Certificate” field on the WHM screen – replacing the existing contents. A list of domains on the certificate should show up in a box below the field as well as the issuer, key-size, etc.
- Copy and paste the entire contents of the “bundle” .crt file (eg. sf_bundle.crt) into the “Certificate Authority Bundle (optional)” field on the WHM screen – replacing the existing contents.
- Leave the “Private Key” field alone since it is already populated with the correct value.
- Click the “Install” button at the bottom of the page. The new cert will now be installed. The old cert will be automatically be invalidated/disabled and removed after 3 days.
— OR —-
B) INSTALLING A DOMAIN CERT
- Steps 1 – 5 have been followed above but the message “No certificate for the domain X could be found” appears
- First grab the private key for the cert by clicking “Browse Certificates” and choosing the domain that represents the CN on the cert. Click the cert and then the the “Use Certificate” button at the bottom.
- The fields will now be populated with the cert details. Copy and Paste the entire contents of the “Private Key” field into a text file. We will need this value.
- Click the “Clear” button at the bottom of the page. Then type in the domain where you will be installing the cert into the “Domain” field and click “Autofill By Domain” to apply.
- Copy and paste the entire contents of the main (non-bundle) .crt file (eg. 27b1f3309f9fed.crt) into the Certificate” field on the WHM screen. A list of domains on the certificate should show up in a box below the field as well as the issuer, key-size, etc.
- Copy and paste the entire contents of the bundle .crt file (eg. sf_bundle.crt) into the “Certificate Authority Bundle (optional)” field on the WHM screen.
- Copy and paste the entire private key (begins with —–BEGIN RSA PRIVATE KEY—–) into the “Private Key” field on the WHM screen.
- Click the “Install” button at the bottom of the page. The new cert will now be installed.
As an alternative to getting the private key value from the original CN domain in WHM you can also get this value from the ssl folder for the user account where the cert was originally installed. Look in the ~/ssl/keys folder.