1

I have a VPS(Virtual Private Server) that I want to launch my Angular + NodeJS website on it. I want to buy also SSL certificate for my domain address. In buying SSL process it asks for CSR code that seems I must create on my VPS.

But what if I decided to change my VPS provider in next month? Or even again after two months? Is there any restriction/limitation to creating new CSR codes and changing them in future? How many times I can create CSR code for new servers if I changed my website hosting server?

user3486308
  • 115
  • 6

2 Answers2

3

As long as you have access to the private key you can generate as many Certificate Signing Requests (CSR) for it as you want. Each Certification Authority (CA) that you give this CSR will return a new and different certificate. You will have to use the root and intermediate certificates provided by the corresponding CA.

You should be able to transfer the private key and the certificates to any other server, provided you change the domain name server (DNS) for your domain to point to the IP of that new server. Make sure that you don't accidently leak the private key during the transfer process.

digijay
  • 1,155
  • 3
  • 11
  • 22
  • 1
    Why specifically "if you have a **domain-validated** certificate"? – Håkan Lindqvist Aug 30 '20 at 08:08
  • Because I wasn't not sure if an extended validation certificate might contain information referring to the IP the domain points to. But [that doesn't seem to be the case](https://cabforum.org/extended-validation/) so thanks for the hint! corrected! – digijay Aug 30 '20 at 08:21
2

The question is largely about the terms and conditions of individual CAs, rather than technical issues. Different CAs will have different terms, so the specifics will vary.

However, here are my suggestions:

  • You may want to use a CA like Let's Encrypt to completely remove the "but it costs money" part of the equation and have automated certificate renewal to boot

  • If you are buying a certificate (if you for whatever reason want the higher tiers of validation, for instance), you may want to back up the private key and certificate (+intermediate certificates, as necessary) in a secure location. This way you can simply restore these on the same or on a different server as needed.
    Do keep in mind that in case the reason for needing to restore is any kind of server compromise, you should instead revoke the certificate and start over with a new key.

  • If you are buying a certificate, you may want to shop around, not only looking at price but also reading the terms of the CA. This is where you will find these kinds of non-technical policies like whether they will allow you to re-issue/re-key the certificate for free, and if there is a limited number of times this can be done.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94