John's Blog: Managing Multiple SSL Certificates

January 11, 2016

The process of applying SSL certificates, while fairly straightforward, requires close attention to detail. If you are having trouble getting a cert, here's a link to an entry I wrote a couple of years ago that will help:

Using SSL Certificates In Rumpus

Keeping track of multiple certificate/key pairs would complicate things, so to keep the process as straightforward as possible, only 1 certificate can be applied in Rumpus at any one time. This is a problem, though, if you need to use a self-signed or older certificate while waiting for a signing authority to turn your CSR into a valid cert, so let's take a look at manually managing 2 or more certs in Rumpus.

Rumpus keeps it's certificate and private key files in the Rumpus configuration folder, which can be opened from within Rumpus using the "File" menu, "Open Config Folder" option. Inside the config folder, you will find 2 files, "Rumpus.cert" and "Rumpus.key".

Those 2 files can be backed up or recovered to swap certificates in or out. The important thing to note, as described in my original article on SSL Certificates, is that they function as a pair and must be kept together. When you need to maintain 2 or more certificates, I suggest using a consistent backup naming convention to identify each pair, like "Rumpus.SelfSigned.cert" and "Rumpus.SelfSigned.key".

Let's say you have a certificate that is about to expire, and you need to generate a new CSR and have a new key issued. But while you wait for the authority to issue the new cert, you need to continue to run Rumpus with the old key:

1. Open the config folder and identify the existing "Rumpus.cert" and "Rumpus.key" files.

2. Make a copy of each of those files and name them something like "Rumpus.expiring.cert" and "Rumpus.expiring.key".

3. In Rumpus, use the CSR generation function to create your new CSR.

4. The new "Rumpus.key" file is the key that matches the CSR, and subsequently the new certificate you will receive, so change the name of that key file to "Rumpus.new.key". It isn't technically necessary, but I'd recommend making a copy of the "Rumpus.csr" file and calling it "Rumpus.new.csr", just in case you need to resend it to the authority.

5. Send the CSR off to the signing authority.

6. Make a copy of the "Rumpus.expiring.cert" and "Rumpus.expiring.key" files, and name the copies "Rumpus.cert" and "Rumpus.key" (overwriting the existing files as necessary).

7. When the authority sends your new certificate, apply it normally, then make a copy of the "Rumpus.new.key" file and name the copy "Rumpus.key" (again overwriting the old key file).

The key (sorry for the pun) here is to make sure that each cert/key pair you maintain has a backup, using a common naming convention to uniquely identify each CSR/cert/key group you have created.

It's also worth remembering that private keys must always be kept private. I recommend keeping your backup files in the Rumpus config folder, on the server itself, where they are easy to keep track of and kept secure.

© Copyright 2017, Maxum Development Corp.