How to migrate the cert and the key to another server?

Hi! Sorry if the question is duplicated, but I haven’t found a satisfactory answer.
My issue is the follow: I have two dedicated servers (DS1 is production one and DS2 is for the standby). On the DS1 I have generated a certificate via certbot for my website, what I want now is to share this certificate to DS2. DNS record of my domain is pointed to DS1 now, but in case of need I want to change it to DS2. Can I just copy files cert.pem and privkey.pem to the DS2 and apply them to my site’s config?

You may be able to accomplish your requirements in several ways.
Here are two that I can think of:

  1. You could use DNS auth on DS2 and it would be able to obtain and renew its’ own cert regardless of IP/name mismatch. This may be a bit difficult to automate; depending on your O/S, DNS system, etc.
  2. You may be able to automate an export/copy cert from DS1 to DS2. Methods for such vary greatly depending on O/S, cert renewing program, administrative level, systems accessibility, etc.

Maybe you could describe your situation, with as much detail as relevant, and someone here could better advise you.

1 Like

Just copying fullchain.pem (better than cert.pem) and privkey.pem should work, but the reason the automation that @rg305 recommends is especially important is that these certificates expire every 90 days. Therefore you would need to have a mechanism in place to keep copying the new ones over each time.

For Unix servers this might be done with rsync via ssh, among other options. Certbot can trigger a script with --renew-hook when a certificate renewal occurs, or you could run the rsync regularly regardless of renewal events.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.