Moving servers and IPs will change. Do SSL certificates need to be re-issued and installed?

We are moving servers to another facility with different block of IP addresses. Will we need to get new SSL certificates issued and installed once the move has taken place?

If so, is there any way to get prepared for this before the server is moved instead of waiting for it to boot up to then go through the process of requesting from IIS, going to certificate vendor, etc?


Solution 1:

Most (I think ALL) SSL certificates are domain-name-based, so there should be no need to get a new certificate as long as the hostname of the server will be the same after the move.

It will require a DNS change, timed with the move, however.

Solution 2:

No, SSL is tied to the domain name, not the public IP address. For your prep though, you should set your DNS TTL to be low, so that propagation is quick.

The only time SSL and IP clash is when you are working with multiple SSL certs on a single IIS box.

6 years later, I wanted to add a quick edit to this one. I know the question wasn't about assigning an SSL cert to an IP, but that is possible.

""An SSL certificate is typically issued to a Fully Qualified Domain Name (FQDN) such as "https://www.domain.com". However, some organizations need an SSL certificate issued to a public IP address. This option allows you to specify a public IP address as the Common Name in your Certificate Signing Request (CSR). The issued certificate can then be used to secure connections directly with the public IP address (e.g., https://123.456.78.99.).""

Solution 3:

SSL certificates are tied to a single IP address in so far as that you can only have one certificate bound to a given IP address. The certificates themselves are expected to match the Common Name (CN) which is typically the hostname entered into DNS and configured for the service (IMAP, HTTPS, SMTP, etc).

That said the moving of servers and changing the IP address is not a problem so long as you take the necessary steps to update the DNS for the respective hostname entry to point to the new IP address. As mentioned you can limit the potential time by lowering the TTL so that the change propagates quickly, you can also make the DNS IP address change before actually moving the server so the update will go into affect before the change and thus lowering the possible unreachability.