When managing production enterprise infrastructure, you rarely have direct root access via SFTP or SSH for security reasons. Instead, you often have to navigate multi-layered permissions—logging in as a standard user, transferring files locally, and escalating privileges via CLI to finalize configurations.
In this tutorial, we will walk through the step-by-step procedure to safely renew an Apache SSL certificate under a restricted environment where WinSCP access is limited to a non-root user (sysops), requiring command-line intervention to complete the installation.
Prerequisites
A target Apache web server (CentOS/RHEL-based configuration using /etc/httpd/).
A standard user account (sysops) with sudo privileges.
The new SSL certificate (.crt) and CA bundle/chain file ready on your local machine.
Step 1: Backup Existing Certificates
Before making any changes to production security files, always back up the working configuration.
Access the server via PuTTY using the sysops account, and switch to the root user or use sudo to create a backup of your existing keys:
sudo cp /etc/httpd/server.crt /etc/httpd/server.crt.bak
sudo cp /etc/httpd/server.key /etc/httpd/server.key.bak
Step 2: Stage the New Certificates via WinSCP
Because your WinSCP session cannot log in directly as root, you must stage the files in a directory your user owns.
Open WinSCP and log in using your sysops credentials.
Upload your new certificate files (nouveau_certificat.crt and nouveau_certificat_chain.pem) directly into your home directory: /home/sysops/.
Step 3: Install and Replace the Certificates
Now, return to your terminal session (PuTTY) to move the files from your staging directory to the protected Apache directory using elevated privileges.
Copy the new primary certificate
sudo cp /home/sysops/nouveau_certificat.crt /etc/httpd/server.crt
Copy the new certificate chain / CA bundle
sudo cp /home/sysops/nouveau_certificat_chain.pem /etc/httpd/server-ca.crt
Step 4: Verify Permissions and Ownership
Apache requires strict file permissions to ensure private keys are not exposed. Navigate to the directory and verify that the file owners, groups, and permissions match your organizational standards:
cd /etc/httpd/
ls -l
Ensure your output aligns with secure permissions (e.g., the private key should ideally be restricted to chmod 600 or 400 owned by root):
-rw-r--r--. 1 root root 4907 Oct 28 2024 server-ca.crt
-rw-r--r--. 1 root root 2313 Oct 9 12:30 server.crt
-rw-------. 1 root root 1704 Oct 9 12:30 server.key
Step 5: Test the Apache Configuration
Never restart a production web server without testing the configuration first. A syntax error or mismatched key pair can cause downtime.
Run the configuration test utility:
apachectl configtest
Ensure the output returns Syntax OK before proceeding.
Step 6: Restart and Verify the Service
Once the configuration test passes successfully, restart Apache to apply the new SSL certificates and check the service status:
Restart the Apache service
sudo systemctl restart httpd
Verify the service is active and running
sudo systemctl status httpd
Restart the Apache service
sudo systemctl restart httpd
Verify the service is active and running
sudo systemctl status httpd
Your Apache server is now successfully serving the newly renewed SSL certificate!
Top comments (0)