Creating a new CSR when a certificate is already installed and in use

Discussion in 'Installation/Configuration' started by cbj4074, Oct 23, 2012.

  1. cbj4074

    cbj4074 Member

    The ISPConfig 3 manual does not address this particular situation:

    I have an SSL certificate that is already installed, and it has become necessary for me to renew that certificate. I need to install the new certificate without interruption to HTTPS service.

    How is this done in ISPConfig 3? From what I can tell, if I choose "Create certificate" from the SSL Action menu, ISPConfig will indeed generate a new CSR, but it will also overwrite the existing certificate's key file, which will cause Apache to fail (because the key and the certificate will no longer match).

    Historically, I've had to create the new CSR on the shell prompt and then copy everything into place, as described in the manual section, "5.4.1 How Do I Import An Existing SSL Certificate Into A Web Site That Was Created Later In ISPConfig?"

    Am I missing something? Or is the manual route the only route at the moment?

    Thanks for any help.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You dont have to create a new csr when you renew a ssl cert as csr's dont expire. Just take the existing csr and let it sign again, copy the new crt in the ssl crt field in ispconfig, select save as action and click on the save button.No manual changes required in any files.
  3. cbj4074

    cbj4074 Member

    Thanks, Till. Very nice; I was unaware of the fact that CSRs do not expire. I learn something new every day around here. ;)
  4. cbj4074

    cbj4074 Member

    Sorry to resurrect the thread here, Till. :eek:

    So, I had to renew the SSL certificate for a domain.

    Before sending the CSR off to the CSA, I ensured that the CSR contents in ISPConfig matched the contents on the filesystem (in /var/www/ Both values matched, so I requested the new certificate with that old/existing CSR (per the previous discussion in this thread).

    When the new certificate came back, I attempted to follow your instructions and paste only the new .crt contents into ISPConfig's "SSL Certificate" field. When I clicked "Save Certificate", Apache refused to restart with:

    [Thu Nov 08 10:44:06 2012] [error] Unable to configure RSA server private key
    [Thu Nov 08 10:44:06 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Thu Nov 08 10:44:08 2012] [error] Unable to configure RSA server private key
    [Thu Nov 08 10:44:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    So, I did some research and used the commands outlined at to perform comparisons against the various certificate components.

    Here is the output of the various commands against the old/existing/working certificate:

    # openssl x509 -noout -modulus -in /var/www/ | openssl md5
    # openssl rsa -noout -modulus -in /var/www/ | openssl md5
    # openssl req -noout -modulus -in /var/www/ | openssl md5
    Is the last hash, for the CSR, supposed to match the hash for the certificate and the key? In other words, does the above output indicate that this CSR was not in fact used to generate the certificate? This seems to be the case, because I pasted the new certificate into the site's ssl directory, alongside the other files, and hashed its modulus:

    # openssl x509 -noout -modulus -in /var/www/ | openssl md5
    So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The content of the csr file and the csr field in ispconfig was identical at the time the original certificate was created in ispconfig. It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.
  6. cbj4074

    cbj4074 Member

    That "someone" was me. :eek:

    After looking through my files, I see what happened.

    I created a self-signed certificate when I installed ISPConfig, via the ISPC interface, just to secure communications until I could acquire a proper certificate.

    Then I generated the CSR for the proper certificate on the command-line (not through ISPConfig).

    Fortunately, I kept all of the certificate components, and I was able to find the original CSR file and its modulus's MD5 hash matches that of the other certificate components.

    So, it seems that I will need to have the new certificate reissued upon the correct CSR.

    Thanks for your help in straightening this out, Till.

Share This Page