So here’s a scenario for you. You purchased an SSL certificate from a certificate authority, I’ll use GoDaddy, but only because I know their system does/allows this. Purchase the cert, and use if for the year. When the year’s through, you can renew, but instead of needing a new CSR, there’s this nice Auto-renew feature, which uses your old key. If you’re on IIS, when you go to install the cert you’ll be in trouble. Why? Because you don’t have the key.

So now, your old SSL cert is up for expiration, you’ve retrieved a new cert, but you don’t know what to do next. Well, there are actually two options available to you:

1) If you’re installing, or installed the cert on the same server as the original certificate, this step is easy. Use the MMC snap-in for Certificates (Local Computer) to import the certificate, then open the properties, verify the ‘key’ symbol is missing, and find the thumbprint for your new cert. Copy this and remove the spaces. Now paste the following into a commandprompt window:

certutil -repairstore MY <thumbprint>

Congrats, your certificate is now restored with a proper key.

2) If you have a copy of the certificate’s PFX, you can use OpenSSL or one of numerous online websites like SSLShopper.com  provide tools for converting a PFX to PEM format. Replace the certificate section with your new file, then do the exact opposite to compile it back to PFX. You can set a password for the PFX, but that’s only necessary if you use IIS to import the certificate.

One cavat to option two is that if you accidentally install the cert without the private key before you do the recompile, you have to use option 1, or you have to FULLY REMOVE the new certificate from the snap-in before you can reinstall. If you don’t do this, your cert will appear perfect, but will not function on the server properly until removed and reinstalled.

If you happen to be running Apache, you’re already using PEM, just replace the SSLCERTIFICATE value, and leave the key alone, you’re good to go.

Hope this helps you guys with your future SSL installs.

The fix? As you may have guessed, reconfigure your Virtual SMTP to ‘localhost’ then save, close and re-open properties. You can now set your desired IP listener value. When finished, hop over to the Delivery options and reset your FQDN, then save. Sad that this little issue is such a pain-in-the-butt.

Seagate Barracuda ST3320418AS 320GB 7200 RPM SATA 3.0Gb/s 3.5″ Hard Drive

With these new drives in place, I powered on the system and loaded my RAID controller to look at the presumed catastrophe that would surely be my RAID stripe. As it turns out, my RAID stripe was OK, though it was in dire need of a good Windows chkdsk to resolve some consistency issues. My mirrored 1TB drives however had decided to become two rather than one, leaving me with two identical degraded mirrors. So much for quality from my NV RAID controller. I promptly destroyed one degraded array and started the rebuild to add the disk into the other. Once complete, I moved over to my remaining RAID stripe to keep from experiencing any further catastrophe.

With the mirror safely in place again, I rebooted the server, and in safe-mode, quickly set the C drive (my stripe) to be checked on next boot. After this completed, I grabbed my trusty Ubuntu Feisty CD, and loaded the bootable environment.

I cleared enough space on a USB drive to allow a partition to be copied (about 80GB) and used GParted to make the copy (System > Administration > GParted) from stripe to USB drive. Now I’ll make a clear note that this was a Windows XP system partition, existing on a RAID0 stripe. Since it’s Nvidia raid, that means Ubuntu picks up the RAID controller, auto-maps the raid-mounts, and also maps the SATA drives. This is important, because you need to capture the data from the /dev/mapper/nvidia_?????1 volume that equals the size of your RAID array. If I copied the array from the ‘/dev/sda1′, etc. I’d have captured half the info needed and lost the rest.

Once the partition was copied, I booted back down and moved to my RAID config again, dropping the RAID0 stripe and setting a mirror up in its place. This means everything on the disk was lost at this point! Thank goodness we backed it up…

From here, I booted back into Ubuntu CD, loaded GParted, and started the copy back from the USB drive over to the new Mirror. This also meant setting the msdos partition style and setting up the new partition (GParted is a champ at this!). I set the boot flag on the partition and rebooted, removing the CD.

…nothing happened.

I loaded my NV config, set and reset the array for bootable. nothing.
It dawned on my, I had to fix the MBR for XP, so I grabbed my XP disk and booted. It wouldn’t see my arrays, either of them, but was happy to find both of my USB drives. I didn’t have a floppy laying around with my RAID controllers, so I checked the MFG website, no downloads. argh. That’s annoying.

I ended up going back to trusty ole Ubuntu, and a quick google on my laptop found out about ms-sys, a tool designed for just this purpose. After a few debilitating attempts, I found that I had to download the tar for ms-sys from their sourceforge site because Ubuntu no longer carries it in their Universe repo:

http://ms-sys.sourceforge.net

I followed their installation, but quickly learned that Ubuntu is missing something else needed to complete the install, a toolset called ‘gettext’. I quickly ran ‘apt-get install gettext’, completed the install for ms-sys and ran the process to fix the MBR:

ms-sys -m /dev/mapper/nvidia_?????

note: you’ll find at least two maps for an Nvidia RAID array, the one for the array, and the one for each partition, allocated by a number following the seemingly random NV ID.

Once complete, I reset the boot flag on my volume, to be sure, and rebooted, to see a successfully loading XP on my new mirror array.

lesson learned, read the friggin controller info to determine what’s failed, but always have a backup drive around in case of an issue. 2x 320GB drives are now in store, in the event of such a failure, or a decision to just move over to Win7 or Linux, who knows… nobody’s paying me for the move.

Please be aware that all of the tools I’ve listed today are manufactured by their respective developers and are freely available online. I make no claim to ownership, nor do I want it. If this document helps you, I’m glad, if it doesn’t, I hope you find what you need elsewhere.

Feel free to comment, and watch for future updates.

Anyways, It’s done, and I’m now a couple hundred PFX files happier. For anyone interested in the ‘how’, try using the following, remember that Microsoft IDs the certs from 0 up, so:

Start with a for loop:

for /L %a in (1,1,200) DO

add in the cert process:

certutil -p password -exportPFX %a cert%a.pfx

set those together, and you get a really nice list of PFX files to import into a new server, there’s even an option to -importPFX to allow that function to run smoothly, though I won’t get into that one today.

In other news, the weekend is here, which means – my son’s birthday party, and home projects. This weekend, replace an old faucet, and the angle-valves that go with… and swap the bottom of the cabinet while you’re at it!!!

Note to self: classwork also due…

As an old teacher once suggested, breaking the date down, you read:
11001
seems logical enough.