How to generate a CSR + Key to buy a new SSL certificate without replacing current?

Rog

Verified User
Joined
Sep 27, 2016
Messages
20
Our current SSL EV certificate is expired in a few weeks and I need to buy a new one.

When I generate a CSR (Certificate Signing Request), it appears to generate a new key and install it immediately (replacing the old one). And uses a temporary Shared Server Certificate for the time being. This is of course NEVER supposed to happen, because now the site appears to be insecure/untrusted when people visit it (shared certificate is not CA certified).

I now quickly restored this by putting back the previous SSL EV certificate + they corresponding Key, which I fortunately still had saved, although I can't find out anymore how I actually got that Key.

My question: how can I generate a CSR and the corresponding Key, allowing me to save the CSR + Key but not install/activate it yet.

This would allow me to then complete the SSL purchasing process (including company verification etc because we're using an SSL EV certificate), and once I receive the certificate, I can install + activate that along with the previously generated Key.
 
There are public services where you can generate a CSR. If you don't trust them you can use a command line of your server with the guide: https://help.directadmin.com/item.php?id=256
Thanks, but unless I misunderstand what's happening in DirectAdmin, it does generate a new Private Key as well, along with the CSR. Is there no way to simple get the Key as well, so I can save that? (instead of having to do it manually on the shell or even through an external service)

Are you sure that Directadmin overwrote the existing cert/key when you created a CSR? I really doubt it.
It surprised me too, but yes, I'm sure. Just tried again, when I generate the CSR, here is a screenshot of the result.

Well actually it says it created a backup of the existing key, but it does indeed immediately the active key+cert with a new one (the certificate being a generic shared one, thus considered insecure for normal visitors as it's not signed for my domain).
 
I've tested it on my end, and I did not replicate the issue you are referring to. Here is what I've done:

1. found a domain on my server with an existing cert/key
2. generated a CSR
3. got my CSR

and still my valid and original KEY with CERT are in their place.

If you create a CSR for a domain which already uses an individual SSL CERT in Directadmin it uses the existing SSL key, it does not generate other KEY, and does not overwrite it.
 
I can confirm this happens....

But what's worse is IF you go from using Lets Encrypt SSL, and THEN do a CSR, the private.key does NOT get saved.

When you go back to the SSL section and try to paste in your new crt, along side the existing "-----BEGIN RSA PRIVATE KEY-----" , the key will come up as invalid, because it STILL uses the letsencrypt private key, and not the CSR one...
 
Back
Top