Solved

AS2 SSL certificate renewal process

Posted on 2014-11-04
14
600 Views
Last Modified: 2014-11-07
Hello

We need to renew the certificate we use to sign our AS2 communications. I understand it is possible to renew a certificate using the same key, so that our AS2 partners do not need to update the certificate at their side. Is this true and has anyone have experience of doing it with godaddy?

Secondly, what happens when the certificate expires at the AS2 partner/client side? Our certificate on our AS2 server will be the renewed one, but our client's will be the old one? I presume we need to send the new one for them to update on their system before the expiry period?

Cheers
James
0
Comment
Question by:failed
  • 8
  • 6
14 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40423167
(1) When you renew a certificate, you have the option of using the existing key set or creating a new key set.  If you use the same key set, the certificate should continue to work with your partners.

However, you can use this procedure to request certificates from an enterprise CA only. In this case, using the GoDaddy, you are not running such CA owned by your Enterprise.

Renewal cert from GoDaddy - https://support.godaddy.com/help/article/5362/renewing-your-ssl-certificate-server-instructions?countrysite=sg

Furthermore, renewing a certificate with the same key provides maximum compatibility with past uses of the accompanying key pair, but it does not enhance the security of the certificate and key pair.

http://technet.microsoft.com/en-us/library/cc726033.aspx

(2) For client/partner with expired AS2 (your old cert), the comms will failed as it is considered invalid and hence early planning has to be done prior to expiry. Below are practice for considerations. (in case you are into alternative and experience, you can check out ECGridOS) E.g.
Send a copy of your public certificate with every message you send to your trading partners for initial setup and changes. Do not make them look for previous messages or have to bother you to request the certificate again.

Attach the certificate to the e-mail in several ways. Many e-mail programs have problems with certificates as attachments. Attach with the extension renamed to .txt, zip it and attach the Zip file. Also, if you can, post it on a web site and give your trading partners the URL where they can download it.

There is one thing that can’t be avoided, adding a new trading partner just before you are going to update your certificate. Do let them know right then and there that you plan to update shortly.

Save your expired private keys and public certificates from your trading partners. If for some reason you ever need to revalidate or decrypt and old message, you will need these.
Ref
- http://www.ld.com/as2-part-2-best-practices/
- http://www.ld.com/as2-part-3-certificates/
0
 

Author Comment

by:failed
ID: 40426672
Hi btan,

Thanks for your help here.

If I use the original CSR, surely I can renew with the same key with godaddy, and then install this cert on my server?
0
 
LVL 61

Expert Comment

by:btan
ID: 40427477
Based from GoDaddy site, yes it can be renewed using original CSR,  however, if any of the information in your CSR (including company name or address information) has changed, you must generate and submit a new CSR before your certificate can be renewed). I doubt you have changes to those info.

https://support.godaddy.com/help/article/5362/renewing-your-ssl-certificate-server-instructions?countrysite=sg

though not recommended in security view, it can still renew certificate with same key as mentioned in MS http://technet.microsoft.com/en-us/library/cc758448%28v=ws.10%29.aspx
0
 

Author Comment

by:failed
ID: 40428051
Thanks again btan.

I have the certificate that is about to expire on my IIS server at the moment.

Once I have renewed the certificate using the original CSR with godaddy, what is the best method to load it on to my IIS 8 server? Should I choose 'complete certificate request'? Or should I remove the old one and import the new one?

I presume this new/renewed certificate will work with the 'old' public key certs that our AS2 partners are currently using, since the key pair will be the same?
0
 
LVL 61

Expert Comment

by:btan
ID: 40428100
backup the old one cert (pfx included) and proceed to import the new cert (pfx). The intent for the same keyset is to be reused the same keys but the other info may change like the timestamp, serial no etc. see this blog and my last statement in this post

http://blogs.technet.com/b/configmgrteam/archive/2009/02/11/how-to-renew-the-site-server-signing-certificate-microsoft-certificate-services.aspx
..the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on the certificate and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.
Or there is a manual mean stated in the link using Certutil
Want to renew the certificate with an existing key set?  Use my previous post to find the long string of numbers for the certificate's key container, using the Certutil command.  Then specify this string in the .inf file with the KeyContainer option, along with UseExistingKeySet = Yes
Once the request is done, should be able to import and install as per
https://support.godaddy.com/help/article/4802/renewing-an-ssl-certificate-microsoft-iis-7-x

But do note the below from the MS blog
Even though you've renewed the existing certificate rather than replaced it, it still has a new serial number and a new certificate thumbprint.  This means that you must still specify the renewed site server signing certificate in the site properties, Site Mode tab.
0
 
LVL 61

Expert Comment

by:btan
ID: 40428102
just in case if really crop up then has to refurnish the cert but it should not. Below is another in case really cannot find the private key for info
http://blogs.iis.net/lprete/archive/2007/11/25/assign-a-private-key-to-a-new-certificate-after-you-use-the-certificates-snap-in-to-delete-the-original-certificate-in-internet-information-services.aspx
0
 

Author Comment

by:failed
ID: 40428144
Just having a look at the 'renew certificate with the same key' option in the certificates snap in, I get an an error 'enrollment error, the request contains no certificate template information'
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 61

Expert Comment

by:btan
ID: 40428374
See if the forum shared may help
https://social.technet.microsoft.com/Forums/windowsserver/en-US/298006b4-533b-4c88-a5fd-461ecf5a0a42/the-request-contains-no-certificate-template-information-0x80094801-2146875391-denied-by-policy?forum=winserversecurity
This issue may be caused by incorrect Certificate Template permission settings. Let’s give Authenticated user Enroll permission:
1.    Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK.
2.    Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK.
3.    Open CA console, stop CA service and restart it.
4.    Try to open MMC->Certificates of Local Computer, try to request Web Server certificates.
Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
It depends on what type oF CA you are using for the symantics of the submission.
1) generate the request using the IIS Manager console  
2) For Enterprise CAs, use the Domain Certificate request option (this does a direct submission to the CA, hard-coded for the Web Server certificate template. Just change permissions to allow a custom global or universal group Read and Enroll permissions
3) For standalone CAs, use the certificate request, this creates a PKCS#10 request, that must be submitted to the CA. (You can also do this for an enterprise CA). Then submit the request using certreq or the Web enrollment pages. (submitting a PKCS#10 request) and selecting the associated certificate template if submitting to an enterprise CA. (this method allows you to use a custom certificate template rather than Web Server).
4) COmplete the request at the IIS Manager console.
0
 

Author Comment

by:failed
ID: 40428432
I don't have the Certificate Template snap-in, presumably because I'm not running an Enterprise CA?
0
 
LVL 61

Expert Comment

by:btan
ID: 40428444
yap as you are using the GoDaddy..
0
 

Author Comment

by:failed
ID: 40428498
OK so to summarise:

1) We can renew our certificate using the original CSR (I've spoken to godaddy to confirm this)

2) This will retain the original key therefore allowing our AS2 partners to continue exchanging information using the 'old' public key up until the expiry date of the 'old' certificate

3) We are using a 3rd party CA therefore we can't renew through the Certificates snap-in; we must go in to IIS once we have downloaded the new certificate files and 'complete certificate request' as per these instructions: https://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40428524
yes that is what I think and forum has shed so far..there is mentioned of also using using the Certutil command (with UseExistingKeySet = Yes) command line as alternative for  snap-in. I am not certain this is workable as it seems more for MS CA instead of godaddy... stick to resubmit to godaddy for advice then...as mentioned worst case, re-send new cert with key then (ref in my first post)
0
 

Author Comment

by:failed
ID: 40428740
Thanks for your help btan; you've helped make things clearer in my head and I have a plan now :)
0
 
LVL 61

Expert Comment

by:btan
ID: 40429692
no worries. thks!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now