?
Solved

AS2 SSL certificate renewal process

Posted on 2014-11-04
14
Medium Priority
?
734 Views
Last Modified: 2014-11-07
Hello

We need to renew the certificate we use to sign our AS2 communications. I understand it is possible to renew a certificate using the same key, so that our AS2 partners do not need to update the certificate at their side. Is this true and has anyone have experience of doing it with godaddy?

Secondly, what happens when the certificate expires at the AS2 partner/client side? Our certificate on our AS2 server will be the renewed one, but our client's will be the old one? I presume we need to send the new one for them to update on their system before the expiry period?

Cheers
James
0
Comment
Question by:failed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40423167
(1) When you renew a certificate, you have the option of using the existing key set or creating a new key set.  If you use the same key set, the certificate should continue to work with your partners.

However, you can use this procedure to request certificates from an enterprise CA only. In this case, using the GoDaddy, you are not running such CA owned by your Enterprise.

Renewal cert from GoDaddy - https://support.godaddy.com/help/article/5362/renewing-your-ssl-certificate-server-instructions?countrysite=sg

Furthermore, renewing a certificate with the same key provides maximum compatibility with past uses of the accompanying key pair, but it does not enhance the security of the certificate and key pair.

http://technet.microsoft.com/en-us/library/cc726033.aspx

(2) For client/partner with expired AS2 (your old cert), the comms will failed as it is considered invalid and hence early planning has to be done prior to expiry. Below are practice for considerations. (in case you are into alternative and experience, you can check out ECGridOS) E.g.
Send a copy of your public certificate with every message you send to your trading partners for initial setup and changes. Do not make them look for previous messages or have to bother you to request the certificate again.

Attach the certificate to the e-mail in several ways. Many e-mail programs have problems with certificates as attachments. Attach with the extension renamed to .txt, zip it and attach the Zip file. Also, if you can, post it on a web site and give your trading partners the URL where they can download it.

There is one thing that can’t be avoided, adding a new trading partner just before you are going to update your certificate. Do let them know right then and there that you plan to update shortly.

Save your expired private keys and public certificates from your trading partners. If for some reason you ever need to revalidate or decrypt and old message, you will need these.
Ref
- http://www.ld.com/as2-part-2-best-practices/
- http://www.ld.com/as2-part-3-certificates/
0
 

Author Comment

by:failed
ID: 40426672
Hi btan,

Thanks for your help here.

If I use the original CSR, surely I can renew with the same key with godaddy, and then install this cert on my server?
0
 
LVL 64

Expert Comment

by:btan
ID: 40427477
Based from GoDaddy site, yes it can be renewed using original CSR,  however, if any of the information in your CSR (including company name or address information) has changed, you must generate and submit a new CSR before your certificate can be renewed). I doubt you have changes to those info.

https://support.godaddy.com/help/article/5362/renewing-your-ssl-certificate-server-instructions?countrysite=sg

though not recommended in security view, it can still renew certificate with same key as mentioned in MS http://technet.microsoft.com/en-us/library/cc758448%28v=ws.10%29.aspx
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:failed
ID: 40428051
Thanks again btan.

I have the certificate that is about to expire on my IIS server at the moment.

Once I have renewed the certificate using the original CSR with godaddy, what is the best method to load it on to my IIS 8 server? Should I choose 'complete certificate request'? Or should I remove the old one and import the new one?

I presume this new/renewed certificate will work with the 'old' public key certs that our AS2 partners are currently using, since the key pair will be the same?
0
 
LVL 64

Expert Comment

by:btan
ID: 40428100
backup the old one cert (pfx included) and proceed to import the new cert (pfx). The intent for the same keyset is to be reused the same keys but the other info may change like the timestamp, serial no etc. see this blog and my last statement in this post

http://blogs.technet.com/b/configmgrteam/archive/2009/02/11/how-to-renew-the-site-server-signing-certificate-microsoft-certificate-services.aspx
..the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on the certificate and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.
Or there is a manual mean stated in the link using Certutil
Want to renew the certificate with an existing key set?  Use my previous post to find the long string of numbers for the certificate's key container, using the Certutil command.  Then specify this string in the .inf file with the KeyContainer option, along with UseExistingKeySet = Yes
Once the request is done, should be able to import and install as per
https://support.godaddy.com/help/article/4802/renewing-an-ssl-certificate-microsoft-iis-7-x

But do note the below from the MS blog
Even though you've renewed the existing certificate rather than replaced it, it still has a new serial number and a new certificate thumbprint.  This means that you must still specify the renewed site server signing certificate in the site properties, Site Mode tab.
0
 
LVL 64

Expert Comment

by:btan
ID: 40428102
just in case if really crop up then has to refurnish the cert but it should not. Below is another in case really cannot find the private key for info
http://blogs.iis.net/lprete/archive/2007/11/25/assign-a-private-key-to-a-new-certificate-after-you-use-the-certificates-snap-in-to-delete-the-original-certificate-in-internet-information-services.aspx
0
 

Author Comment

by:failed
ID: 40428144
Just having a look at the 'renew certificate with the same key' option in the certificates snap in, I get an an error 'enrollment error, the request contains no certificate template information'
0
 
LVL 64

Expert Comment

by:btan
ID: 40428374
See if the forum shared may help
https://social.technet.microsoft.com/Forums/windowsserver/en-US/298006b4-533b-4c88-a5fd-461ecf5a0a42/the-request-contains-no-certificate-template-information-0x80094801-2146875391-denied-by-policy?forum=winserversecurity
This issue may be caused by incorrect Certificate Template permission settings. Let’s give Authenticated user Enroll permission:
1.    Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK.
2.    Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK.
3.    Open CA console, stop CA service and restart it.
4.    Try to open MMC->Certificates of Local Computer, try to request Web Server certificates.
Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
It depends on what type oF CA you are using for the symantics of the submission.
1) generate the request using the IIS Manager console  
2) For Enterprise CAs, use the Domain Certificate request option (this does a direct submission to the CA, hard-coded for the Web Server certificate template. Just change permissions to allow a custom global or universal group Read and Enroll permissions
3) For standalone CAs, use the certificate request, this creates a PKCS#10 request, that must be submitted to the CA. (You can also do this for an enterprise CA). Then submit the request using certreq or the Web enrollment pages. (submitting a PKCS#10 request) and selecting the associated certificate template if submitting to an enterprise CA. (this method allows you to use a custom certificate template rather than Web Server).
4) COmplete the request at the IIS Manager console.
0
 

Author Comment

by:failed
ID: 40428432
I don't have the Certificate Template snap-in, presumably because I'm not running an Enterprise CA?
0
 
LVL 64

Expert Comment

by:btan
ID: 40428444
yap as you are using the GoDaddy..
0
 

Author Comment

by:failed
ID: 40428498
OK so to summarise:

1) We can renew our certificate using the original CSR (I've spoken to godaddy to confirm this)

2) This will retain the original key therefore allowing our AS2 partners to continue exchanging information using the 'old' public key up until the expiry date of the 'old' certificate

3) We are using a 3rd party CA therefore we can't renew through the Certificates snap-in; we must go in to IIS once we have downloaded the new certificate files and 'complete certificate request' as per these instructions: https://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40428524
yes that is what I think and forum has shed so far..there is mentioned of also using using the Certutil command (with UseExistingKeySet = Yes) command line as alternative for  snap-in. I am not certain this is workable as it seems more for MS CA instead of godaddy... stick to resubmit to godaddy for advice then...as mentioned worst case, re-send new cert with key then (ref in my first post)
0
 

Author Comment

by:failed
ID: 40428740
Thanks for your help btan; you've helped make things clearer in my head and I have a plan now :)
0
 
LVL 64

Expert Comment

by:btan
ID: 40429692
no worries. thks!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question