How to replace an already expired SSL Certificate.

Pkafkas
Pkafkas used Ask the Experts™
on
How to replace an already expired SSL Certificate.

I have always found SSL Certificates confusing and it is even more confusing if things do not work as planned from the instructions provided.  But it is a good opportunity to learn.  I have an SSL Certificate from godaddy.com and it has expired(1 month ago, or 30 days ago).  It is not a wild card certificate and we need to renew and replace it for an appliance and its  web address.  I see notes from: https://support.cartika.com/portal/kb/articles/renewing-your-ssl-certificate-godaddy-19-6-2018 on how to create a n SSL certificate and this part seems very familiar and straight forward.

Question1:  Do I need to generate a new CSR from that hosting appliance?
      a.  I am assuming yes and I found out how to do this on the appliance.

Question2:  How do I know what type of certificate to create?  Example, for Apache or Tomcat or Other?
     a.  I see from my  note s that all 3 were created last year; but, I am not sure which one was used.
     b.  From the appliance configuration I see a "key Pair" type is listed.

Question3.  I have notes on how to upload the certificate to the appliance; but, I am confused with  how to import the certificate correctly.  We had problems initially when a consultant was doing this.  Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.  
     a.  The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
     b.  That consultant is no longer with that firm and we do not do business with that firm any longer.
     c.  I do not know what he meant by that.  Maybe I will need to contact the vendor if the problem comes back.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Question1:  Do I need to generate a new CSR from that hosting appliance?
Yes.

Question2:  How do I know what type of certificate to create?  Example, for Apache or Tomcat or Other?
Is this an internal SSL certificate leveraging your PKI, or is this for a device that is accessible from the outside? There's a considerable amount of missing information here.

Question3.  I have notes on how to upload the certificate to the appliance; but, I am confused with  how to import the certificate correctly.  We had problems initially when a consultant was doing this.  Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.
Without more information, this is too vague to actually provide you with the answer that you're looking for. What type of device are we even talking about?
PkafkasNetwork Engineer

Author

Commented:
This device/appliance/web address is accessible outside.

If there is information missing ... that just shows how much I am not sure how to proceed; but, I am trying to be secretive where it is in the best interest of the company.

1).  This appliance is used for 2 Factor Authentication.  
2).  This appliance is used for users to authenticate with an Authentication APP.
        a.  This appliance is used for users to login and associated a smartphone with their account.
3).  It is not in production and we have been testing it for the past year.
4).  We were getting ready for production but the certificate expired.
5).  Since the certificate expired the smart phone applications will not authenticate correctly.
        a.  The smarthone app uses the web address to communicate with the outside world.
        b.  One cannot even add a smartphone to auser's account since the certificate is expired.

When we were originally setting this up, the certificate was imported by a consultant and during the testing process the smartphone enrollment only worked with iphones and a pixel phone; but not with Android phones.  Then after a lot of trial an error we got android phones to work.  The consultant staed: "I created the certificate file a bit differently to go into the program."  Whatever that means.  But that was when the 2FA appliance allowed Android phones to be enrolled with 2FA for users.

The certificate problem with the Android phones may be a vendor specific problem.  If it happens again I may need to call the vendor.
Distinguished Expert 2018

Commented:
Alright, tell us what you do know about the hosting appliance (in terms of specs, etc). Might make it easier to assist.
1. You can reuse the existimg csr, but that is not required

2. I am unsure. Certs are usually generic but some soft want separate files for the private key and the certificate authority chain. Many allow multiple setups. That can be handled with some copy and paste.

3. This is usually either a matter of ca chains. Newer vendors are not natively handled by older browsers. A proper certificate authority chain alleviates this.

There are also limits regarding ciphers, numer of bytes... but those likely wont kick in with a new cert.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Question1:  Do I need to generate a new CSR from that hosting appliance?
      a.  I am assuming yes and I found out how to do this on the appliance.

Yes + No. Depends on...

If you use a smart system like LetsEncrypt, you never touch or see any .csr file, which is good as generating a correct .csr file is more complex than might be imagined.

If you're using GoDaddy's cert generation process, you must provide a .csr file, so you'll either generate a new one or use the previous one you used to initially generate the cert.

Tip: Almost every sensible hosting company these days provides free LetsEncrypt certs.

Because certs have been free for years now.

Question2:  How do I know what type of certificate to create?  Example, for Apache or Tomcat or Other?
     a.  I see from my  note s that all 3 were created last year; but, I am not sure which one was used.
     b.  From the appliance configuration I see a "key Pair" type is listed.

There is only one type of cert. Well... maybe 2x types if you consider simple certs + wildcard certs as different. All browsers have now dropped showing EV certs as different (which is good because they never were different), so really there's only one type of cert now, which might contain a list of sites or a wildcard designation for one site.

I generate certs, usually many each day, which are used for Apache, incoming SMTP (opportunistic TLS), IMAPS, POP3S, MariaDB.

All TLS certs (no such thing as SSL certs, they've been dead for years) work across all code, as TLS supports a common protocol used every where.

Question3.  I have notes on how to upload the certificate to the appliance; but, I am confused with  how to import the certificate correctly.  We had problems initially when a consultant was doing this.  Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.  
     a.  The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
     b.  That consultant is no longer with that firm and we do not do business with that firm any longer.
     c.  I do not know what he meant by that.  Maybe I will need to contact the vendor if the problem comes back.

I think you may be mixing up server protocol support (Apache/Tomcat) + client protocol support (iphones).

In general the best way to handle this is to setup your server support for only TLSv1.2 + TLSv1.3, which will break some old client devices connecting, which is still best as SSL2, SSL3, TLSv1.0, TLSv1.1 all have problems, which is why all these protocol versions are now retired/deprecated.

For example, almost all payment systems (PayPal, Banks) silently block any traffic from <TLSv1.2 protocol levels to their payment gateways.

There's generally nothing you can do to fix client devices, as client device related problems can only be fixed by owners of these devices installing updates.
Distinguished Expert 2017

Commented:
Goon info.

Question #1
Much depends on what is in use and what options available by the current issuer if it is being used to get a new certificate from.
If the issuer changes, a new csr is required.
If the appliance supports, getting a renewed certificate from the current issuer might be sufficient since the key used to generate the prior csr is present.

Question #2
Use the current certificate as a reference. Look through certificate info for OID, function detailing use. What is the certificate being used for? Subject alternate names if any.
PkafkasNetwork Engineer

Author

Commented:
It is a godaddy certificate, if that makes a difference.

Some peop,e are saying that I need to create a new CSR and some are saying that I can use the old CSR.  In the past whenever I replaced an older certificate I always generated a new CSR.  For Firewalls and Citrix NetScalers, and Exchange Servers.
Distinguished Expert 2018

Commented:
It is a godaddy certificate, if that makes a difference.
Are you able to see any details about the way that it is generated?

Some peop,e are saying that I need to create a new CSR and some are saying that I can use the old CSR.
Technically, you could keep using the old one. However, I advise people to generate the new one anyway.
both choices are ok. Do not spin you wheels uselesly.
PkafkasNetwork Engineer

Author

Commented:
I can browse to the web site and see information about the current certificate.

CN and Alternative names
Issuer
Public Key RSA
Public Key Parameters: 05 00
Signature algorithm
etc.
Distinguished Expert 2017

Commented:
The certificate usually includes whether it is a simple mechanism to secure communication like a web server or whether in addition to that it needs other resources.

Is this a mail handling appliance?
Often, appliances has a user interface to complete these tasks.

Including info on the appliance might help lookup the manual if publicly accessible or available only through ..... restricted access
PkafkasNetwork Engineer

Author

Commented:
To Arnold:

I have an admin guide on how to generate a CSR and upload a new certificate for the 2FA appliance.  Does that answer your question?

But I really want t focus on the 3 questions above.

Question1:  Do I need to generate a new CSR from that hosting appliance?
      a.  I am assuming yes and I found out how to do this on the appliance.

Question2:  How do I know what type of certificate to create?  Example, for Apache or Tomcat or Other?
     a.  I see from my  note s that all 3 were created last year; but, I am not sure which one was used.
     b.  From the appliance configuration I see a "key Pair" type is listed.

Question3.  I have notes on how to upload the certificate to the appliance; but, I am confused with  how to import the certificate correctly.  We had problems initially when a consultant was doing this.  Initailly the certificate only worked correctly with iphones and computers; but, not with Android phones.  
     a.  The consultant that did this last year had to "create the certificate a little bit differently to go into the product".
     b.  That consultant is no longer with that firm and we do not do business with that firm any longer.
     c.  I do not know what he meant by that.  Maybe I will need to contact the vendor if the problem comes back.
Distinguished Expert 2017
Commented:
Each answered your question.
If you are getting the certificate from the same provider, one option is to renew it directly through them and then load the new certificate if the option is available.
If this is not an option, then you must generate a new CSR and then submit it for signature by a Certificate authority either the same or new one.. When the signed certificate is ussued, you would use the process to complete the loading of the new certificate into the appliance.

When you use the appliance csr generation tool, it will generate a request appropriate to its use.

Tomcat usually uses a keystore meaning it has to get the certificate and key in a specific format where OpenSSL can be used todo the conversion.
Key pair means, the certificate includes the public key used by clients to encrypt the request as part of the transport layer security. Your system retains and uses the private key to decrypt the message from the remote clients while using the public key it obtains during the secure connection negotiation to encrypt the response such that only the other side using their own private key to decrypt the response from you.

See the instruction on what type..
Obtains certificates are commonly in DER/PEM format. Tomcat uses a different type of certificate store.

Do you need a public certificate or a self-signed certificate could do?
Distinguished Expert 2017

Commented:
OpenSSL is the tool to convert certificate key pairs from one format to another depending on need.

https://roopindersingh.com/programming/converting-pem-certificates-and-private-keys-to-jks/

If you can ssh into the appliance, it shoukd have openssl

You need the private key and the certificate.
PkafkasNetwork Engineer

Author

Commented:
Can I use the tool above to create a certificate in a different format and its associated private.key?

https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs
David FavorFractional CTO
Distinguished Expert 2018

Commented:
To create a real cert, use https://LetsEncrypt.org which will keep your process simple.

With OpenSSL + many other tools you can certainly create certs + with no issuance chain, using these certs is always a pain.

Better to just generate free LetsEncrypt certs, which work in all clients.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial