Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
jmarton2 Absent Member.
Absent Member.
2744 views

Difficulty replacing SSL cert

I got a note from GoDaddy that I had to rekey my SSL certificate to use SHA-2 instead of SHA-1. I was able to access my GoDaddy account and change the encryption algorithm, and then download the bundle containing the cert & all the intermediates. I've imported all of them into Filr as trusted certificates. However, I can't set the new certificate as active. When I try and then reboot, the original certificate is still active. I wonder if that's because it's imported as a trusted certificate and isn't part of a key pair, but the only way I know to get a new key pair is to go through the entire CSR process which was skipped for this. Is there another way to replace the cert? Do I need to use command-line tools to do it?

Joe Marton Emeritus Knowledge Partner
0 Likes
13 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

jmarton wrote:
>
> I got a note from GoDaddy that I had to rekey my SSL certificate to use
> SHA-2 instead of SHA-1. I was able to access my GoDaddy account and
> change the encryption algorithm, and then download the bundle containing
> the cert & all the intermediates. I've imported all of them into Filr
> as trusted certificates. However, I can't set the new certificate as
> active. When I try and then reboot, the original certificate is still
> active. I wonder if that's because it's imported as a trusted
> certificate and isn't part of a key pair, but the only way I know to get
> a new key pair is to go through the entire CSR process which was skipped
> for this. Is there another way to replace the cert? Do I need to use
> command-line tools to do it?


Is your new certificate based on the certificate request as created on
the Filr appliance? If so the private part is on your appliance. I had
to do the same (old intermediate certificates using SHA-1) and IIRC I
could simply import the freshly created certificate as a key pair giving
the pass phrase on the appliance (same as for the Java key store). I did
not touch the root certificate as that did not change.

See also Message-ID: <sindre.6ekeyn@no-mx.forums.novell.com>

Günther
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;2418484 wrote:

Is your new certificate based on the certificate request as created on
the Filr appliance? If so the private part is on your appliance. I had
to do the same (old intermediate certificates using SHA-1) and IIRC I
could simply import the freshly created certificate as a key pair giving
the pass phrase on the appliance (same as for the Java key store). I did
not touch the root certificate as that did not change.


Yes, it's based on the original CSR. If I try to import the cert as a key pair, I get this error:

An error occurred importing the key pair file (type .P12 format expected). See server logs for more details.

I know the docs give command-line syntax to convert the cert to P12 format.

openssl pkcs12 -export in mycert.pem -inkey mykey.pem -out mycert.p12

I get "in mycert.pem" is my GoDaddy cert and "-out mycert.p12" is the output file in p12 format. But I don't know where the key file is stored for the "-inkey mykey.pem" part of the syntax. Where is that stored?

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

jmarton wrote:

> I get "in mycert.pem" is my GoDaddy cert and "-out mycert.p12" is the
> output file in p12 format. But I don't know where the key file is
> stored for the "-inkey mykey.pem" part of the syntax. Where is that
> stored?


On the appliance 😉
You might export it as a key pair and then use it for the conversion.
From my notes:

Import/Export of cert. on the Filr-Appliance:
http://www.novell.com/documentation/novell-filr1/filr1_inst/data/certificates.html

Export from the Appliance:
Login on the Novell Filr Appliance (port 9443) as Vaadmin then select
Appliance System Configuration | Digital Certificates | key Store : Web
Application Certificates.
Then highlight the certificate and click on File | Export | Key Pair.

Günther





0 Likes
Highlighted
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;2418497 wrote:

On the appliance 😉
You might export it as a key pair and then use it for the conversion.
From my notes:

Import/Export of cert. on the Filr-Appliance:
http://www.novell.com/documentation/novell-filr1/filr1_inst/data/certificates.html

Export from the Appliance:
Login on the Novell Filr Appliance (port 9443) as Vaadmin then select
Appliance System Configuration | Digital Certificates | key Store : Web
Application Certificates.
Then highlight the certificate and click on File | Export | Key Pair.


That's the same section of the docs I'm using but it doesn't seem to completely cover this scenario. I've gone through the key pair export, but nothing seems to happen after I enter the password. Does the export go to somewhere on the appliance? I would expect my browser to download the key pair but nothing is downloaded after I enter the password.

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

jmarton wrote:

> That's the same section of the docs I'm using but it doesn't seem to
> completely cover this scenario. I've gone through the key pair export,
> but nothing seems to happen after I enter the password. Does the export
> go to somewhere on the appliance? I would expect my browser to download
> the key pair but nothing is downloaded after I enter the password.


Actually I can replicate your issue. Both on Firefox and Chrome nothing
happens. The key file should download to your download folder.
This most definitely used to work with Filr 1.1, but it seems to be
broken with Filr 1.2. I did not use this feature for a while now because
all SSL stuff in done on a load balancer appliance.

Günther
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;2418500 wrote:


Actually I can replicate your issue. Both on Firefox and Chrome nothing
happens. The key file should download to your download folder.
This most definitely used to work with Filr 1.1, but it seems to be
broken with Filr 1.2. I did not use this feature for a while now because
all SSL stuff in done on a load balancer appliance.


I noticed I was still running a GMC build of Filr 1.2, so I upgraded to the released build and then applied Updates 1-4 and Security Update 1. The issue still persists (not being able to export) so I've pinged one of my Novell contacts to see if anyone there has any ideas.

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Difficulty replacing SSL cert

jmarton;2418470 wrote:
I got a note from GoDaddy that I had to rekey my SSL certificate to use SHA-2 instead of SHA-1. I was able to access my GoDaddy account and change the encryption algorithm, and then download the bundle containing the cert & all the intermediates. I've imported all of them into Filr as trusted certificates. However, I can't set the new certificate as active. When I try and then reboot, the original certificate is still active. I wonder if that's because it's imported as a trusted certificate and isn't part of a key pair, but the only way I know to get a new key pair is to go through the entire CSR process which was skipped for this. Is there another way to replace the cert? Do I need to use command-line tools to do it?


Hi Joe,
I realize you shouldn't have to do this, but if you delete the original and intermediate will the new cert stick as active?
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

gchristensen;2418640 wrote:
Hi Joe,
I realize you shouldn't have to do this, but if you delete the original and intermediate will the new cert stick as active?


Unfortunately no luck after doing that... I can't set this new one to active. I imported the original one back and can't make it active now either. Looks like if the cert is a trusted cert, then you can't set it as active. It has to be a key pair but now I think I might be really hosed since I don't have the original key pair any longer. 😞 I've set the original self-signed cert as active for now but haven't restarted anything yet to make anything take effect.

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Difficulty replacing SSL cert

jmarton;2418702 wrote:
Unfortunately no luck after doing that... I can't set this new one to active. I imported the original one back and can't make it active now either. Looks like if the cert is a trusted cert, then you can't set it as active. It has to be a key pair but now I think I might be really hosed since I don't have the original key pair any longer. 😞 I've set the original self-signed cert as active for now but haven't restarted anything yet to make anything take effect.

Joe


Joe, If you this will work given your current state and if you want to try to get additional debugging. Edit your /etc/default/datamodel file and uncomment this line:
#export JAVA_OPTIONS="$JAVA_OPTIONS -Dorg.slf4j.simpleLogger.log.com.novell.admin=debug"
rcnovell-datamodel-service restart
Then tailf /var/opt/novell/datamodel-service/logs/datamodel.stderrout.out
Return to the 9443 cert UI and attempt to import and make active
Then see if the datamodel log reveals anything
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

gchristensen;2419110 wrote:
Joe, If you this will work given your current state and if you want to try to get additional debugging. Edit your /etc/default/datamodel file and uncomment this line:
#export JAVA_OPTIONS="$JAVA_OPTIONS -Dorg.slf4j.simpleLogger.log.com.novell.admin=debug"
rcnovell-datamodel-service restart
Then tailf /var/opt/novell/datamodel-service/logs/datamodel.stderrout.out
Return to the 9443 cert UI and attempt to import and make active
Then see if the datamodel log reveals anything


Here's what got logged... not a whole lot going on though.

[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.ProcessServiceImpl - Executing command line: hostname -f
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.ProcessServiceImpl - Process gobbler.waitfor called.
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.ProcessServiceImpl - Process gobbler.join called 0
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.ProcessServiceImpl - Process gobbler.join returned.
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.ProcessServiceImpl - Process results: Process return code: 0, process output: filr.marton.org

[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.KeyStoreServiceImpl - Loading key store from: /vastorage/conf/certs/keystore
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.KeyStoreServiceImpl - Loading key store from: /vastorage/conf/certs/keystore
[RMI TCP Connection(6)-192.168.1.41] DEBUG com.novell.admin.common.datamodel.services.impl.KeyStoreServiceImpl - Loading key store from: /vastorage/conf/certs/keystore

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

Update on the issue. Rather than to continue trying to figure out how to do this, I discovered GoDaddy allows me to rekey the cert by generating a new CSR. The new cert replaces the old one and the old one will be revoked in 72 hours. After doing this I have a new SHA-2 cert (SHA-256 specifically) and I've been able to install it and make it active. I'm back in business!

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

=?UTF-8?B?R8O8bnRoZXIgU2Nod2Fyeg==?=;2418500 wrote:

Actually I can replicate your issue. Both on Firefox and Chrome nothing
happens. The key file should download to your download folder.
This most definitely used to work with Filr 1.1, but it seems to be
broken with Filr 1.2.


Looks like the export issue was specific to Filr 1.2 as I've upgraded to Filr 2.0 and export now works properly.

Joe

Joe Marton Emeritus Knowledge Partner
0 Likes
aferris Absent Member.
Absent Member.

Re: Difficulty replacing SSL cert

That's good to hear Joe as I duplicated your issue on my 1.2 system.

Andrew
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.