Renewing SSL certs

[nikdahl]

It has come to the point where a couple of the domains hosted on our servers need to have their SSL certs renewed.

Looking through some old posts, it seems that the only way to "renew" an SSL cert, is to in fact, create a new cert. So my users are in fact paying a 12 month price for 11 mos (or whenever the cert is renewed) of a cert. The last month goes wasted?

We order our certs through OpenSRS. Prior to the cert's expiration, there is a link to "Renew", which basically just opens up a new cert order form, but with the same old CSR. Will it even work with the old CSR? Or does a new one need to be generated.

I've always had trouble with certs in DirectAdmin, which is why I'm seeking clarification on this. In the past, DA has always retained a cert, or key, or something that doesn't allow for the installation of a new cert.

So perhaps I will go through with some steps to renew (or replace.. as it seems is the more appropriate term) a cert in DA, and you can tell me what steps I'm doing wrong, if any.

- Open the Install SSL Certificate panel in DA
- Clear out the "Paste a pre-generated certificate and key" where the current Private Key and Cert reside, and save.
- Select the Generate a CSR option, fill in the blanks and submit. At this point, a new private key is generated and placed in the "paste a pre-generated certificate and key" section.
- Order the cert using the new CSR, and paste it in the "pre-generated certificate and key" section after the private key.

That should be it, right? Step two may be where I am failing.

In order to replace a cert, you have to remove the old one. So perhaps the question should be "how do you remove a cert?"

 

[rtaylor]

A new CSR would only be required if you wanted to change some information contained therein. As for updating the cert, I've always just pasted the new code in and saved.

 

[nobaloney]

Looking through some old posts, it seems that the only way to "renew" an SSL cert, is to in fact, create a new cert. So my users are in fact paying a 12 month price for 11 mos (or whenever the cert is renewed) of a cert. The last month goes wasted?

Not necessarily. If you buy your Certificates from the same vendor they'll know the Certificate expiration date, and they'll generally give you the extra time. If your switching vendors or for some weird reason your vendor doesn't do that for you, then just renew at the last minute .

We order our certs through OpenSRS. Prior to the cert's expiration, there is a link to "Renew", which basically just opens up a new cert order form, but with the same old CSR. Will it even work with the old CSR? Or does a new one need to be generated.

Already responded by someone else.

I've always had trouble with certs in DirectAdmin, which is why I'm seeking clarification on this. In the past, DA has always retained a cert, or key, or something that doesn't allow for the installation of a new cert.

DirectAdmin continues to retain (and use) the old private key and the old Certificate, so the site will still be protected by the old Certificate.

Then when you get the new Certificate you simply paste it in, overwriting (or first deleting) the old Certificate, before saving.

The only time this has created a problem for us has been when clients using Debian needed to update Debian (because of a bug which made Certificates possibly insecure), and then reissue each Certificate. We resolve that problem by deleting the private key through the shell.

So perhaps I will go through with some steps to renew (or replace.. as it seems is the more appropriate term) a cert in DA, and you can tell me what steps I'm doing wrong, if any.

The industry still calls it renewing the Certificate, so I do as well.

- Open the Install SSL Certificate panel in DA
- Clear out the "Paste a pre-generated certificate and key" where the current Private Key and Cert reside, and save.

I've found that this is counter-productive and doesn't actually clear the files. I don't bother doing it.

- Select the Generate a CSR option, fill in the blanks and submit. At this point, a new private key is generated and placed in the "paste a pre-generated certificate and key" section.

In my experience it hasn't always created a new private key. You don't need a new private key, so it doesn't matter.

- Order the cert using the new CSR, and paste it in the "pre-generated certificate and key" section after the private key.

Yes. As I wrote above, at that point overwrite the Certificate with the new one.

That should be it, right? Step two may be where I am failing.

I wrote that it's unnecessary, but I don't know what you mean by failing.

In order to replace a cert, you have to remove the old one. So perhaps the question should be "how do you remove a cert?"

You don't have to remove the old one.

Jeff

 

[netearth]

OK, here is a scenario for you :

cert was for www.domain.com on 1024, now needs replacing for a wildcard, as Jeff has mentioned, you cant simply "delete" the key and cert.

So thought oh well, create a new csr in the name of *.domain.com on 2048, this creates a nice new shiney CSR, but you send that quite correctly to the CA to get your new cert (bear in mind the old and new certs are different CA's) and go back to the SSL page and funnily enough your new private key isnt there...

So now I have lost the new wildcard private key, the old cert and old key are still in place and I have a nice new shiney wildcard cert, my csr (not much use now), and bugger all else

SO how to get round this...

Anyone for 10?

 

[nobaloney]

this creates a nice new shiney CSR, but you send that quite correctly to the CA to get your new cert (bear in mind the old and new certs are different CA's) and go back to the SSL page and funnily enough your new private key isnt there...

Why not?

Anyone for 10?

Call me if you'd like; we'll go through this on the phone in a few minutes, and then you can write it up here .

Jeff

 

[MichaelMcC]

Same here

I am having the same problem, sort of...

I bought an SSL for www.clients.mydomainname.com by creating the request using DA. I got the cert and pasted it under the key as instructed. At worked perfectly.

Later I find out that I have problems with WHMCS not liking to work well with the subdomain so I buy another SSL cert for www.mydomainname.com .
It let me create the new cert request fine. I got the new cert but when I go to DA SSL to enter the cert under the key I find that it only shows the old key and cert. I can't delete it and recover my newer key.

I get the feeling that my newer key is now lost.

Is there a way to recover the root key that was created?

How do I get it to stop showing that older subdomain key/cert?

Thanks

Michael

 

[nobaloney]

You should try deleting the old Certificate but not the key, then pasting the new cert under the key. Save them and see if that works.

If not, then, as I mentioned to Michael on the phone, the old key has to be removed manually through the shell. The new key is probably lost and you'll have to:

1) delete the key through the shell (if you don't have shell access you'll need to contact your hosting provider).

2) log back into your SSL page, and create a new CSR (the window should be empty before you start).

3) ask your Certificate provider to reissue the certificate.

If you write back and tell me that your provider won't reissue the Certificate without you paying again, well then you're dealing with a cheapskate Certificate provider who doesn't do what all Certificate providers should do, which is revoke a certificate and reissue if for some reason it doesn't work, at no charge. All reputable Certificate providers, including NoBaloney Internet Services will do that.

Jeff

 

[MichaelMcC]

I was finally able to get whmcs working with the subdomain which I had the key/crt pair for. The problem I have in creating a new key/csr is that when I put in the information and have it create the key/csr, I copy and save the CSR fine but when I go back to see and grab the key it has already been replaced with the previous KEY/CRT pair.
I guess I need to do as you said and figure out how to delete the KEYs via shell so it doesn't have the old one to display.
BTW, I looked and I had 7 days to have it re-issued, (and) I could do it myself on thier site. After that I I'm not sure of their policy.

Thanks