HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Creating a new CSR when a certificate is already installed and in use (http://www.howtoforge.com/forums/showthread.php?t=59220)

cbj4074 23rd October 2012 21:49

Creating a new CSR when a certificate is already installed and in use
 
The ISPConfig 3 manual does not address this particular situation:

I have an SSL certificate that is already installed, and it has become necessary for me to renew that certificate. I need to install the new certificate without interruption to HTTPS service.

How is this done in ISPConfig 3? From what I can tell, if I choose "Create certificate" from the SSL Action menu, ISPConfig will indeed generate a new CSR, but it will also overwrite the existing certificate's key file, which will cause Apache to fail (because the key and the certificate will no longer match).

Historically, I've had to create the new CSR on the shell prompt and then copy everything into place, as described in the manual section, "5.4.1 How Do I Import An Existing SSL Certificate Into A Web Site That Was Created Later In ISPConfig?"

Am I missing something? Or is the manual route the only route at the moment?

Thanks for any help.

till 24th October 2012 08:41

You dont have to create a new csr when you renew a ssl cert as csr's dont expire. Just take the existing csr and let it sign again, copy the new crt in the ssl crt field in ispconfig, select save as action and click on the save button.No manual changes required in any files.

cbj4074 24th October 2012 14:41

Thanks, Till. Very nice; I was unaware of the fact that CSRs do not expire. I learn something new every day around here. ;)

cbj4074 8th November 2012 20:40

Sorry to resurrect the thread here, Till. :o

So, I had to renew the SSL certificate for a domain.

Before sending the CSR off to the CSA, I ensured that the CSR contents in ISPConfig matched the contents on the filesystem (in /var/www/example.com/ssl/example.com.csr). Both values matched, so I requested the new certificate with that old/existing CSR (per the previous discussion in this thread).

When the new certificate came back, I attempted to follow your instructions and paste only the new .crt contents into ISPConfig's "SSL Certificate" field. When I clicked "Save Certificate", Apache refused to restart with:

Code:

[Thu Nov 08 10:44:06 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:06 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Nov 08 10:44:08 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

So, I did some research and used the commands outlined at https://www.sslshopper.com/certificate-key-matcher.html to perform comparisons against the various certificate components.

Here is the output of the various commands against the old/existing/working certificate:

Code:

# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395c05c527c4a8584a01863542213e96

Is the last hash, for the CSR, supposed to match the hash for the certificate and the key? In other words, does the above output indicate that this CSR was not in fact used to generate the certificate? This seems to be the case, because I pasted the new certificate into the site's ssl directory, alongside the other files, and hashed its modulus:

Code:

# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.new.crt | openssl md5
395c05c527c4a8584a01863542213e96

So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?

till 9th November 2012 08:47

Quote:

So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?
The content of the csr file and the csr field in ispconfig was identical at the time the original certificate was created in ispconfig. It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.

cbj4074 9th November 2012 18:02

Quote:

It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.
That "someone" was me. :o

After looking through my files, I see what happened.

I created a self-signed certificate when I installed ISPConfig, via the ISPC interface, just to secure communications until I could acquire a proper certificate.

Then I generated the CSR for the proper certificate on the command-line (not through ISPConfig).

Fortunately, I kept all of the certificate components, and I was able to find the original CSR file and its modulus's MD5 hash matches that of the other certificate components.

So, it seems that I will need to have the new certificate reissued upon the correct CSR.

Thanks for your help in straightening this out, Till.


All times are GMT +2. The time now is 07:08.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.