Renewing expired certificate

steveryder said 1 year, 1 month ago:

I need to renew and expired certificate (mail.jsrsystems.info expired today, used for postfix/dovecot). In a month I will need to renew secure.jsrsystems.info run under a tomcat 5.5 system. Do I really need to go thru the CSR process since these are NOT new certificates, or can I simply go to the download steps. I know where the certificates are stored on my Ubuntu/Linux virtual machine.

The original installation was done by a contractor, so I don’t know exactly how he generated the CSR files or if he saved them. Hence the desire to skip those steps and just replace the files with “unexpired” versions. Nothing else has changed since their original installation two years ago.

staceyh said 1 year, 1 month ago:

@steveryder If the SSL is being moved to a different server, then a new CSR is needed. The only time that the CSR process can be avoided is if nothing is changing on the server. You may wish to review the article below for more information on generating a CSR:

http://support.godaddy.com/help/article/5343

~Stacey

steveryder said 1 year, 1 month ago:

Absolutely nothing is changing on the server.
So, can I please get my unexpired certificate for the server for which nothing is changing?

staceyh said 1 year, 1 month ago:

@steveryder If nothing is changing, you’ll need to use the steps below to renew the SSL. During the renewal process, you’ll choose the option to keep your current CSR:

http://support.godaddy.com/help/article/864

~Stacey

steveryder said 1 year, 1 month ago:

Thank you, this is exactly the information I needed.

chrisg said 1 year ago:

@steveryder,

I am glad to hear the information @staceyh provided was able to assist you. If you have any other questions, we are always happy to help out.

Christopher G.

steveryder said 1 year ago:

Where do I find the option to keep my current CSR.
I followed all the steps in “Renewing Your SSL Certificate from Launch thru Request Certificate. At that point there is a box to enter my CSR, but I don’t see any option to “Keep your current CSR”. HELP.
Thank you.

chrisg said 1 year ago:

@steveryder,

Was the current CSR generated with 2048 bit key length? If it was not, this is likely why no option is being presented to keep the current CSR as our SSL Certificates now require at minimum a 2048 bit key length. You may need to go ahead and generate a new CSR.

Christopher G.

steveryder said 1 year ago:

The certificate was generated (on my system) by a subcontractor, who I can no longer contact. It may have been the shorter key length.

Where can I find instructions for generating a CSR for use by postfix on a Ubuntu Linux system? I find instructions for tomcat (which I will also need to do but not for two weeks), but nothing for postfix. Thanks for your help.

chrisg said 1 year ago:

@steveryder,

All of our available documentation for generating a CSR should be available within the following article:

Generating a Certificate Signing Request

If the instructions for your specific type of server is not present in this article, I would recommend referring to your preferred search engine or the server vendor for further assistance.

Christopher G.

steveryder said 1 year ago:

I have read a lot of documentation: The generated certificate gets the following error: The CSR contains a key that is susceptible to being compromised.

The command I used following the UBUNTU doc was:
openssl req -new -newkey rsa:2048 -nodes -keyout mail.jsrsystems.info.key -out mail.jsrsystems.info.csr

Now what?

chrisg said 1 year ago:

@steveryder,

Sounds like your server may be missing some system patches that should prevent this type of error from being generated by your CSR key. I would recommend reviewing the details in the following article to help further assist you:

Protecting My Site Against the SSL Vulnerability in Debian GNU/Linux

Christopher G.

steveryder said 1 year ago:

I followed the instructions in the last email link.
Reading the Ubuntu link: http://www.ubuntu.com/usn/usn-612-4/
said I should install ssl-cert 1.0.14.0ubuntu2.1
doing the sudo apt-get install ssl-cert 1.0.14.0ubuntu2.1
said:
ssl-cert is already the newest version. then
Couldn’t find package 1.0.14.0ubuntu2.1

I did a version check:
Distributor ID: Ubuntu
Description: Ubuntu 8.04
Release: 8.04
Codename: hardy

So, I am at a loss as to what to do next to be able to generate a good CSR.
And I MUST get the CSR before 5-15-2012!

chrisg said 1 year ago:

@steveryder,

Unfortunately I am limited in what further steps to advise beyond the information provided in the article I last referenced for patching your server. If no other forum members familiar with your specific server and this error responds with a suggestion, you may want to refer to your preferred search engine for any additional tutorials or server forums that could assist with the patching of your server.

In the meantime; since you mentioned your ‘secure.jsrsystems.info’ cert is expiring soon, you may want to go ahead and renew this using the ‘current CSR’ option. I just checked with a member of our SSL team who advised that you should be able to complete the renewal with this option as long as the cert hasn’t expired already. Just be aware that you may need to re-key after the renewal once you have the system patched.

Christopher G.

santy said 12 months ago:

How much time it take for renew expired certificate if all clients are approved the SSL