How to Renew an Apache SSL Certificate with Restricted SSH and WinSCP Permissions

ghodbani saoussen — Mon, 01 Jun 2026 21:23:12 +0000

When managing production enterprise infrastructure, you rarely have direct root access via SFTP or SSH for security reasons. Instead, you often have to navigate multi-layered permissions—logging in as a standard user, transferring files locally, and escalating privileges via CLI to finalize configurations.

In this tutorial, we will walk through the step-by-step procedure to safely renew an Apache SSL certificate under a restricted environment where WinSCP access is limited to a non-root user (sysops), requiring command-line intervention to complete the installation.

Prerequisites
A target Apache web server (CentOS/RHEL-based configuration using /etc/httpd/).

A standard user account (sysops) with sudo privileges.

The new SSL certificate (.crt) and CA bundle/chain file ready on your local machine.

Step 1: Backup Existing Certificates
Before making any changes to production security files, always back up the working configuration.

Access the server via PuTTY using the sysops account, and switch to the root user or use sudo to create a backup of your existing keys:

sudo cp /etc/httpd/server.crt /etc/httpd/server.crt.bak
sudo cp /etc/httpd/server.key /etc/httpd/server.key.bak

Step 2: Stage the New Certificates via WinSCP
Because your WinSCP session cannot log in directly as root, you must stage the files in a directory your user owns.

Open WinSCP and log in using your sysops credentials.

Upload your new certificate files (nouveau_certificat.crt and nouveau_certificat_chain.pem) directly into your home directory: /home/sysops/.

Step 3: Install and Replace the Certificates
Now, return to your terminal session (PuTTY) to move the files from your staging directory to the protected Apache directory using elevated privileges.

Copy the new primary certificate

sudo cp /home/sysops/nouveau_certificat.crt /etc/httpd/server.crt

Copy the new certificate chain / CA bundle

sudo cp /home/sysops/nouveau_certificat_chain.pem /etc/httpd/server-ca.crt

Step 4: Verify Permissions and Ownership
Apache requires strict file permissions to ensure private keys are not exposed. Navigate to the directory and verify that the file owners, groups, and permissions match your organizational standards:

cd /etc/httpd/
ls -l

Ensure your output aligns with secure permissions (e.g., the private key should ideally be restricted to chmod 600 or 400 owned by root):

-rw-r--r--. 1 root root 4907 Oct 28 2024 server-ca.crt
-rw-r--r--. 1 root root 2313 Oct 9 12:30 server.crt
-rw-------. 1 root root 1704 Oct 9 12:30 server.key

Step 5: Test the Apache Configuration
Never restart a production web server without testing the configuration first. A syntax error or mismatched key pair can cause downtime.

Run the configuration test utility:
apachectl configtest

Ensure the output returns Syntax OK before proceeding.

Step 6: Restart and Verify the Service
Once the configuration test passes successfully, restart Apache to apply the new SSL certificates and check the service status:

Restart the Apache service

sudo systemctl restart httpd

Verify the service is active and running

sudo systemctl status httpd

Restart the Apache service

sudo systemctl restart httpd

Verify the service is active and running

sudo systemctl status httpd

Your Apache server is now successfully serving the newly renewed SSL certificate!

DEV Community: ghodbani saoussen

How to Renew an Apache SSL Certificate with Restricted SSH and WinSCP Permissions

Copy the new primary certificate

Copy the new certificate chain / CA bundle

Restart the Apache service

Verify the service is active and running

Restart the Apache service

Verify the service is active and running