Pkafkas
asked on
How to replace an already expired SSL Certificate.
How to replace an already expired SSL Certificate.
I have always found SSL Certificates confusing and it is even more confusing if things do not work as planned from the instructions provided. But it is a good opportunity to learn. I have an SSL Certificate from godaddy.com and it has expired(1 month ago, or 30 days ago). It is not a wild card certificate and we need to renew and replace it for an appliance and its web address. I see notes from: https://support.cartika.com/portal/kb/articles/renewing-your-ssl-certificate-godaddy-19-6-2018 on how to create a n SSL certificate and this part seems very familiar and straight forward.
Question1: Do I need to generate a new CSR from that hosting appliance?
a. I am assuming yes and I found out how to do this on the appliance.
Question2: How do I know what type of certificate to create? Example, for Apache or Tomcat or Other?
a. I see from my note s that all 3 were created last year; but, I am not sure which one was used.
b. From the appliance configuration I see a "key Pair" type is listed.
Question3. I have notes on how to upload the certificate to the appliance; but, I am confused with how to import the certificate correctly. We had problems initially when a consultant was doing this. Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.
a. The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
b. That consultant is no longer with that firm and we do not do business with that firm any longer.
c. I do not know what he meant by that. Maybe I will need to contact the vendor if the problem comes back.
I have always found SSL Certificates confusing and it is even more confusing if things do not work as planned from the instructions provided. But it is a good opportunity to learn. I have an SSL Certificate from godaddy.com and it has expired(1 month ago, or 30 days ago). It is not a wild card certificate and we need to renew and replace it for an appliance and its web address. I see notes from: https://support.cartika.com/portal/kb/articles/renewing-your-ssl-certificate-godaddy-19-6-2018 on how to create a n SSL certificate and this part seems very familiar and straight forward.
Question1: Do I need to generate a new CSR from that hosting appliance?
a. I am assuming yes and I found out how to do this on the appliance.
Question2: How do I know what type of certificate to create? Example, for Apache or Tomcat or Other?
a. I see from my note s that all 3 were created last year; but, I am not sure which one was used.
b. From the appliance configuration I see a "key Pair" type is listed.
Question3. I have notes on how to upload the certificate to the appliance; but, I am confused with how to import the certificate correctly. We had problems initially when a consultant was doing this. Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.
a. The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
b. That consultant is no longer with that firm and we do not do business with that firm any longer.
c. I do not know what he meant by that. Maybe I will need to contact the vendor if the problem comes back.
Last Comment
ASKER
This device/appliance/web address is accessible outside.
If there is information missing ... that just shows how much I am not sure how to proceed; but, I am trying to be secretive where it is in the best interest of the company.
1). This appliance is used for 2 Factor Authentication.
2). This appliance is used for users to authenticate with an Authentication APP.
a. This appliance is used for users to login and associated a smartphone with their account.
3). It is not in production and we have been testing it for the past year.
4). We were getting ready for production but the certificate expired.
5). Since the certificate expired the smart phone applications will not authenticate correctly.
a. The smarthone app uses the web address to communicate with the outside world.
b. One cannot even add a smartphone to auser's account since the certificate is expired.
When we were originally setting this up, the certificate was imported by a consultant and during the testing process the smartphone enrollment only worked with iphones and a pixel phone; but not with Android phones. Then after a lot of trial an error we got android phones to work. The consultant staed: "I created the certificate file a bit differently to go into the program." Whatever that means. But that was when the 2FA appliance allowed Android phones to be enrolled with 2FA for users.
The certificate problem with the Android phones may be a vendor specific problem. If it happens again I may need to call the vendor.
If there is information missing ... that just shows how much I am not sure how to proceed; but, I am trying to be secretive where it is in the best interest of the company.
1). This appliance is used for 2 Factor Authentication.
2). This appliance is used for users to authenticate with an Authentication APP.
a. This appliance is used for users to login and associated a smartphone with their account.
3). It is not in production and we have been testing it for the past year.
4). We were getting ready for production but the certificate expired.
5). Since the certificate expired the smart phone applications will not authenticate correctly.
a. The smarthone app uses the web address to communicate with the outside world.
b. One cannot even add a smartphone to auser's account since the certificate is expired.
When we were originally setting this up, the certificate was imported by a consultant and during the testing process the smartphone enrollment only worked with iphones and a pixel phone; but not with Android phones. Then after a lot of trial an error we got android phones to work. The consultant staed: "I created the certificate file a bit differently to go into the program." Whatever that means. But that was when the 2FA appliance allowed Android phones to be enrolled with 2FA for users.
The certificate problem with the Android phones may be a vendor specific problem. If it happens again I may need to call the vendor.
Alright, tell us what you do know about the hosting appliance (in terms of specs, etc). Might make it easier to assist.
1. You can reuse the existimg csr, but that is not required
2. I am unsure. Certs are usually generic but some soft want separate files for the private key and the certificate authority chain. Many allow multiple setups. That can be handled with some copy and paste.
3. This is usually either a matter of ca chains. Newer vendors are not natively handled by older browsers. A proper certificate authority chain alleviates this.
There are also limits regarding ciphers, numer of bytes... but those likely wont kick in with a new cert.
2. I am unsure. Certs are usually generic but some soft want separate files for the private key and the certificate authority chain. Many allow multiple setups. That can be handled with some copy and paste.
3. This is usually either a matter of ca chains. Newer vendors are not natively handled by older browsers. A proper certificate authority chain alleviates this.
There are also limits regarding ciphers, numer of bytes... but those likely wont kick in with a new cert.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Goon info.
Question #1
Much depends on what is in use and what options available by the current issuer if it is being used to get a new certificate from.
If the issuer changes, a new csr is required.
If the appliance supports, getting a renewed certificate from the current issuer might be sufficient since the key used to generate the prior csr is present.
Question #2
Use the current certificate as a reference. Look through certificate info for OID, function detailing use. What is the certificate being used for? Subject alternate names if any.
Question #1
Much depends on what is in use and what options available by the current issuer if it is being used to get a new certificate from.
If the issuer changes, a new csr is required.
If the appliance supports, getting a renewed certificate from the current issuer might be sufficient since the key used to generate the prior csr is present.
Question #2
Use the current certificate as a reference. Look through certificate info for OID, function detailing use. What is the certificate being used for? Subject alternate names if any.
ASKER
It is a godaddy certificate, if that makes a difference.
Some peop,e are saying that I need to create a new CSR and some are saying that I can use the old CSR. In the past whenever I replaced an older certificate I always generated a new CSR. For Firewalls and Citrix NetScalers, and Exchange Servers.
Some peop,e are saying that I need to create a new CSR and some are saying that I can use the old CSR. In the past whenever I replaced an older certificate I always generated a new CSR. For Firewalls and Citrix NetScalers, and Exchange Servers.
It is a godaddy certificate, if that makes a difference.Are you able to see any details about the way that it is generated?
Some peop,e are saying that I need to create a new CSR and some are saying that I can use the old CSR.Technically, you could keep using the old one. However, I advise people to generate the new one anyway.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I can browse to the web site and see information about the current certificate.
CN and Alternative names
Issuer
Public Key RSA
Public Key Parameters: 05 00
Signature algorithm
etc.
CN and Alternative names
Issuer
Public Key RSA
Public Key Parameters: 05 00
Signature algorithm
etc.
The certificate usually includes whether it is a simple mechanism to secure communication like a web server or whether in addition to that it needs other resources.
Is this a mail handling appliance?
Often, appliances has a user interface to complete these tasks.
Including info on the appliance might help lookup the manual if publicly accessible or available only through ..... restricted access
Is this a mail handling appliance?
Often, appliances has a user interface to complete these tasks.
Including info on the appliance might help lookup the manual if publicly accessible or available only through ..... restricted access
ASKER
To Arnold:
I have an admin guide on how to generate a CSR and upload a new certificate for the 2FA appliance. Does that answer your question?
But I really want t focus on the 3 questions above.
Question1: Do I need to generate a new CSR from that hosting appliance?
a. I am assuming yes and I found out how to do this on the appliance.
Question2: How do I know what type of certificate to create? Example, for Apache or Tomcat or Other?
a. I see from my note s that all 3 were created last year; but, I am not sure which one was used.
b. From the appliance configuration I see a "key Pair" type is listed.
Question3. I have notes on how to upload the certificate to the appliance; but, I am confused with how to import the certificate correctly. We had problems initially when a consultant was doing this. Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.
a. The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
b. That consultant is no longer with that firm and we do not do business with that firm any longer.
c. I do not know what he meant by that. Maybe I will need to contact the vendor if the problem comes back.
I have an admin guide on how to generate a CSR and upload a new certificate for the 2FA appliance. Does that answer your question?
But I really want t focus on the 3 questions above.
Question1: Do I need to generate a new CSR from that hosting appliance?
a. I am assuming yes and I found out how to do this on the appliance.
Question2: How do I know what type of certificate to create? Example, for Apache or Tomcat or Other?
a. I see from my note s that all 3 were created last year; but, I am not sure which one was used.
b. From the appliance configuration I see a "key Pair" type is listed.
Question3. I have notes on how to upload the certificate to the appliance; but, I am confused with how to import the certificate correctly. We had problems initially when a consultant was doing this. Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.
a. The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
b. That consultant is no longer with that firm and we do not do business with that firm any longer.
c. I do not know what he meant by that. Maybe I will need to contact the vendor if the problem comes back.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
OpenSSL is the tool to convert certificate key pairs from one format to another depending on need.
https://roopindersingh.com/programming/converting-pem-certificates-and-private-keys-to-jks/
If you can ssh into the appliance, it shoukd have openssl
You need the private key and the certificate.
https://roopindersingh.com/programming/converting-pem-certificates-and-private-keys-to-jks/
If you can ssh into the appliance, it shoukd have openssl
You need the private key and the certificate.
ASKER
Can I use the tool above to create a certificate in a different format and its associated private.key?
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
To create a real cert, use https://LetsEncrypt.org which will keep your process simple.
With OpenSSL + many other tools you can certainly create certs + with no issuance chain, using these certs is always a pain.
Better to just generate free LetsEncrypt certs, which work in all clients.
With OpenSSL + many other tools you can certainly create certs + with no issuance chain, using these certs is always a pain.
Better to just generate free LetsEncrypt certs, which work in all clients.
Security
Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.
32K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Is this an internal SSL certificate leveraging your PKI, or is this for a device that is accessible from the outside? There's a considerable amount of missing information here.
Without more information, this is too vague to actually provide you with the answer that you're looking for. What type of device are we even talking about?