How to Renew an Apache SSL Certificate with Restricted SSH and WinSCP Permissions
When managing production enterprise infrastructure, you rarely have direct root access via SFTP or SSH for security reasons. Instead, you often have to navigate multi-layered permissions—logging in as a standard user, transferring files locally, and escalating privileges via CLI to finalize configurations. In this tutorial, we will walk through the step-by-step procedure to safely renew an Apache SSL certificate under a restricted environment where WinSCP access is limited to a non-root user (sysops), requiring command-line intervention to complete the installation. Prerequisites A target Apache web server (CentOS/RHEL-based configuration using /etc/httpd/). A standard user account (sysops) with sudo privileges. The new SSL certificate (.crt) and CA bundle/chain file ready on your local machine. Step 1: Backup Existing Certificates Before making any changes to production security files, always back up the working configuration. Access the server via PuTTY using the sysops account, and switch to the root user or use sudo to create a backup of your existing keys: sudo cp /etc/httpd/server.crt /etc/httpd/server.crt.bak sudo cp /etc/httpd/server.key /etc/httpd/server.key.bak Step 2: Stage the New Certificates via WinSCP Because your WinSCP session cannot log in directly as root, you must stage the files in a directory your user owns. Open WinSCP and log in using your sysops credentials. Upload your new certificate files (nouveau_certificat.crt and nouveau_certificat_chain.pem) directly into your home directory: /home/sysops/. Step 3: Install and Replace the Certificates Now, return to your terminal session (PuTTY) to move the files from your staging directory to the protected Apache directory using elevated privileges. Copy the new primary certificate sudo cp /home/sysops/nouveau_certificat.crt /etc/httpd/server.crt Copy the new certificate chain / CA bundle sudo cp /home/sysops/nouveau_certificat_chain.pem /etc/httpd/server-ca.crt Step 4: Verify Permissions and Ownersh