Issues with renewing an SSL

D

drazhar

Verified User
Joined
Dec 5, 2005
Messages
49
Hey all. In the latesst version of DA when i attempt to create a CSR for a domain that already has an SSL installed (but expired for example) the private key and Cert are not replaced as they used to be.

Additionally the Private Key will not work with the cert that is generated via the CSR. We have been forced to physically remove the SSL files from our servers, and basically start as if the domain had no SSL on it.

Has anyone else had this issue?
 
Yes I have. Now what do you think we should try to do about it. ;-)

If we send the CSR off for signing and put the resulting certificate in there my hunch is that it isn't going to match the private key.

John.... HELP! I have two customers renewing today and they are going to be a bit upset when their SSL doesn't work!

Anybody? :eek:
 
And to confirm the behaviors: Yes in fact if I delete the domain.com.cert and domain.com.key files I can then generate properly as if they were installing a new SSL cert all together.

Nice workaround for now. I will stop panicing.

Big Wil
 
John,

Well that does explain alot. However, I can't say that I agree that that is the best way of going about it. In my opinion it isn't good to reuse private keys. The longer one has a key laying around the less secure it becomes in my opinion. I like the idea of having a new key pair generated every year.

Opinions are a dime a dozen and sometimes I am no different. So I will go ahead and toss mine out there on how I wish to see it done. The way it is now leaving the old key and cert in there gives the impression quite frankly that the system is broken. It just doesn't feel right. No messages or anything, just well, nothing. It will leave any user wondering.

I think you should add a renew certificate function and page. The renew wouldn't touch the current key and cert but rather would create a username/domains/domain.com.key.tmp file containing the new private key. Once the user gets the signed cert back they come back to the renewal page drop in the cert and hit Finalize and that's when the current cert and key are then replaced.

Just my two cents..... or maybe a buck fifty.

Big Wil
 
yeah a tmp key is probably better. We had changed it to this particular method because when a new csr was created, the old cert became inactive with the new key. I'll see what I can do. (likely not for this release though)

John
 
Yah I know. I would do the old copy and paste, copy and paste the old back in, wait for the signing, copy the new back in and save method.... It did need some work I can't argue that.

Big Wil
 
I did it that way as well; it wasn't a problem for experienced sysadmins. The problem is that today everyone expects everything to just work ;) .

Jeff
 
You must log in or register to reply here.
Back
Top