A pet-peeve of mine is users who purchase low-cost certs, especially when they don’t really care to maintain security. Seriously? why?
So here’s a scenario for you. You purchased an SSL certificate from a certificate authority, I’ll use GoDaddy, but only because I know their system does/allows this. Purchase the cert, and use if for the year. When the year’s through, you can renew, but instead of needing a new CSR, there’s this nice Auto-renew feature, which uses your old key. If you’re on IIS, when you go to install the cert you’ll be in trouble. Why? Because you don’t have the key.
So now, your old SSL cert is up for expiration, you’ve retrieved a new cert, but you don’t know what to do next. Well, there are actually two options available to you:
1) If you’re installing, or installed the cert on the same server as the original certificate, this step is easy. Use the MMC snap-in for Certificates (Local Computer) to import the certificate, then open the properties, verify the ‘key’ symbol is missing, and find the thumbprint for your new cert. Copy this and remove the spaces. Now paste the following into a commandprompt window:
certutil -repairstore MY <thumbprint>
Congrats, your certificate is now restored with a proper key.
2) If you have a copy of the certificate’s PFX, you can use OpenSSL or one of numerous online websites like SSLShopper.com provide tools for converting a PFX to PEM format. Replace the certificate section with your new file, then do the exact opposite to compile it back to PFX. You can set a password for the PFX, but that’s only necessary if you use IIS to import the certificate.
One cavat to option two is that if you accidentally install the cert without the private key before you do the recompile, you have to use option 1, or you have to FULLY REMOVE the new certificate from the snap-in before you can reinstall. If you don’t do this, your cert will appear perfect, but will not function on the server properly until removed and reinstalled.
If you happen to be running Apache, you’re already using PEM, just replace the SSLCERTIFICATE value, and leave the key alone, you’re good to go.
Hope this helps you guys with your future SSL installs.
I suggest adding a facebook like button for the blog!
Way to go on this essay, hepled a ton.
Strongly suggest adding a “google+” button for the blog!
It’s like you’re on a msoisin to save me time and money!
Yup, that’ll do it. You have my aprpeicaiton.
Thanks for statrnig the ball rolling with this insight.
I simply want to say I am beginner to blogging and really savored you’re blog. Most likely I’m likely to bookmark your blog post . You amazingly come with exceptional articles. Thanks a lot for sharing with us your web page.
Wow, that’s a rellay clever way of thinking about it!