How to install an SSL certificate on multiple servers

Nov 5, 2021 Scott Rogers How-To

"How do I install my SSL certificate on more than one server?" We get asked this question a lot. 

Why would you need to install on multiple servers?

If you buy a wildcard SSL certificate you may want to use that certificate across multiple servers that share the same base domain. Or perhaps you purchase a multi-domain certificate, issued for many different domains, and you want to use it across multiple servers. 

There are generally two methods used to deploy a single SSL certificate across multiple servers: The Export/Import method and the Issue/Reissue method. We'll discuss both.

The Export/Import method

The Export/Import method is the easiest and most popular option, especially for Windows servers. Start with server 1 and then export the SSL keys from server 1 and import to server 2, server 3, and so on. With this method, you'll be using the exact same private key and SSL certificate on each server.

  1. Install your SSL certificate on server 1.
  2. Save your SSL keys from server 1 to a file.
  3. Import the keys you saved from step 2 into server 3 and repeat for additional servers.

Installing an SSL certificate on multiple servers by the Export/Import e method

The Issue/Reissue method

The Issue/Reissue method is more complex and time-consuming, but it's also considered more secure and a best practice in distributing private keys across multiple servers. With this method you'll be using a unique private key and SSL certificate on each server. First, you issue a certificate for server 1 and the request free c certificate reissues for each additional server.

  1. Install your SSL certificate as normal on server 1.
  2. From server 2, generate a fresh private key and Certificate Signing Request (CSR).
  3. Login to your GeoCerts CertCommand account, find the order, and submit the new CSR for a free reissue.
  4. Complete any pending domain and/or organization validation steps required.
  5. When the reissue is complete, download the certificate files from your account and install them on server 2. 
  6. For each additional server, repeat steps 2 through 5 above. 

Installing an SSL certificate on multiple servers by the Issue/Reissue method

Which method should I use?

Picking the best method depends on the brand/type of servers you are working with. Are they all Windows servers? Are they all Java servers? Or are they a mix of different brands/types of servers? Below we have compiled our recommendations for the most popular servers and use cases.

Windows-to-Windows servers

Recommended method: Export/Import

For Windows servers, like IIS and Exchange, we recommend using the Export/Import method described above. Windows makes it super easy to backup your SSL keys to a Personal Information Exchange (PFX) archive. A PFX file is a single, password-protected certificate archive that contains the entire certificate chain plus the matching private key.  Essentially it is everything that any Windows server will need to import a certificate and private key from a single file.

Java-to-Java servers

Recommended method: Export/Import 

Java-based servers, like Tomcat, use Java Keystores as a storage repository for public key SSL/TLS certificates and their corresponding private keys. A Keystore is created and managed using the keytool command. A Keystore does not contain any information which ties it to a specific system or server so it can be freely copied between servers as needed.

Apache-to-Apache & NGINX-to-NGINX servers

Recommended method: Issue/Reissue

Apache servers do not use a single repository file to store it's public key SSL/TLS certificates and their corresponding private keys. Rather Apache configuration files point to individual certificate and private key files. For this reason, we think it's just easier, and a best practice, to use the Issue/Reissue method rather than trying to copy certificate files from one server to another.

Brand-X to Brand-Y servers

Recommended method: Issue/Reissue

If you have a certificate and private key working on, say, a Windows server and you want to also use it on, maybe, a Java-based server like Tomcat, do not waste your time and frustrate yourself trying to convert a PFX certificate archive to a Java Keystore archive. Use the Issue/Reissue method instead. Generate a new private key and CSR from each type of server and submit for individual reissues.