1 2 Previous Next 15 Replies Latest reply on Sep 5, 2016 11:21 AM by happy10319

    Renew verisign certificate

    happy10319

      Hi all,

      on 11.5.2.10 on AIX DB 11.2.0.4

      We have two  application servers ( say two E-Business systems)on the same machine (AIX ).

      The verisign  certificate on this machine  comes to end in next two weeks.

       

      Would you be kind to guide me for the steps to follow once we recive our new verisign certificate ?

       

      Thanks and regards.

        • 2. Re: Renew verisign certificate
          handat

          Are those signing certificates or server certificates?

          • 3. Re: Renew verisign certificate
            happy10319

            Hi,

            Thank you handat and Srini.

            Handat,

            Signing certificates or server certificates ? I do not know the difference enough to answer.

             

            I will generate the like this :

            openssl genrsa -out myphysiqmachine_verisign_201609.key 2048 Generating RSA private key, 2048 bit long modulus ......................+++ ............+++ e is 65537 (0x10001) openssl req -new -key ./myphysiqmachine_verisign_201609.key -out myphysiqmachine_verisign_201608.csr. What is it then ? Thanks.

            • 4. Re: Renew verisign certificate
              handat

              What are your certificates used for? Are they used to encrypt your http traffic to https or are they used to sign your jar files?

              • 5. Re: Renew verisign certificate
                happy10319

                Thank.

                I will generate them like this :

                openssl genrsa -out myphysiqmachine_verisign_201609.key 2048

                Generating RSA private key, 2048 bit long modulus ......................+++ ............+++ e is 65537 (0x10001)

                 

                 

                openssl req -new -key ./myphysiqmachine_verisign_201609.key -out myphysiqmachine_verisign_201608.csr.

                your http traffic to https or are they used to sign your jar files? Are they differnet ? I think it (or they) should do both: http to https and sign jar files.

                What is it then ? Thanks.

                • 6. Re: Renew verisign certificate
                  handat

                  You have generated a new private rsa key and then generated a new CSR (certificate signing request) for it which you can sent to a CA for signing.

                  However, since I don't know what's defined in your openssl.conf file, I do not know what type of certificate you are requesting.

                  The following command would show the details of your CSR (it will only show the public component of your key, not the private part):

                  openssl req -in myphysiqmachine_verisign_201608.csr -text -noout

                  • 7. Re: Renew verisign certificate
                    happy10319

                    Thank you.

                    Here is the output of openssl req -in.............

                    Certificate Request:

                        Data: 

                           Version: 0 (0x0)

                            Subject: C=xx, ST=xx, L=xx, O=Informatique xx, OU=xx Systeme, CN=myphysiqmachin.xx.fr/emailAddress=xx       

                           Subject Public Key Info:  

                              Public Key Algorithm: rsaEncryption  

                              RSA Public Key: (2048 bit)        

                            Modulus (2048 bit):        

                                00:d9:ac:e7:6b:b6:be:bf:b9:6f:cv:05:69:6c:3c:      

                                  ............................................                   

                    ...........................................                  

                      5d:e1  

                     

                                  Exponent: 65537 (0x10001)   

                         Attributes:   

                             a0:00 

                       Signature Algorithm: sha1WithRSAEncryption  

                          4f:76:9d:78:47:78:48:c6:5f:k1:03:24:aa:c9:3c:86:67:73:  

                          15:0c:14:d2:50:10:f0:4e:23:8b:97:53:65:c8:d7:21:69:e1:

                     

                    What can we conclud ? What kind is it?

                    Regards

                    • 8. Re: Renew verisign certificate
                      handat

                      It looks like a server certificate request for your web/app server since it does not have the CertSign flag defined for keyUsage. However, that is optional for a CSR and could be requested when you actually sent it to your CA.

                      You might want to double check that on your existing certificates. Check the keyUsage flag and see what exists. If it contains CertSign, then its for signing your jars, if it got digitalSignature, then its a server certificate for your app server.

                      • 9. Re: Renew verisign certificate
                        happy10319

                        Thank you.

                        How to check keyUsage flag ?

                         

                        In 11.5.10,Is there any keystore in $IAS_ORACLE_HOME/Apache/Apache/conf/certs ?

                         

                        When we recive the certificat we do

                        cat intermediaire.cer verisign.cer >> ca.crt

                        mv server.cer server.crt

                        export APACHE_TOP=$IAS_ORACLE_HOME/Apache

                        cp server.crt $APACHE_TOP/Apache/conf/certs/ssl.crt

                        cp ca.crt $APACHE_TOP/Apache/conf/certs/ssl.crt

                         

                        I do not see any relation with

                        /usr/java6/jre/lib/security/cacerts

                         

                        Regards

                        • 10. Re: Renew verisign certificate
                          handat

                          You can run  the following to display your certificate:

                          openssl x509 -in ssl.crt -text

                           

                          However, being a ssl.crt file in apache conf directory tells me that it is a server certificate for your web server.

                           

                          Doing the steps you just described would allow you to replace your old certificate with the new one you receive from your CA.

                          However, that's a certificate replace. If you want to actually renew your certificate, then you would need to generate your CSR file with your existing key and not generate a new key like you did before, ie

                           

                          openssl req -new -key ssl.key -out myphysiqmachine_verisign_201608.csr

                           

                          where ssl.key is the file defined by SSLCertificateKeyFile in your apache config file.

                           

                          Alternatively, if you still have your old csr file for your existing certificate, then you can simply use that one to renew your certificate.

                          • 11. Re: Renew verisign certificate
                            happy10319

                            Hi,

                            Thank you for reply.

                            We receive three files :

                            intermediaire.cer ; verisign.cer and server.cer

                             

                            in verisign : X509v3 Key Usage: critical             

                               Certificate Sign, CRL Sign

                             

                            in server.cer : X509v3 Key Usage: critical      

                                      Digital Signature, Key Encipherment

                             

                            in intermediaire.cer:

                             

                            X509v3 Key Usage: critical 

                                           Certificate Sign, CRL Sign

                             

                            Then verisign.cer  seems to be for jar signing ?

                            If yes how to use it to sign the jar file ?

                             

                            Thanks and regards.

                            • 12. Re: Renew verisign certificate
                              handat

                              No, server.cer is your certificate.

                              verisign.cer is your CA, and intermediare.cer is the intermediate CA.

                              Your server.cert is therefore a SSL/TLS certificate for your apache server to allow it to do https.

                              • 13. Re: Renew verisign certificate
                                happy10319

                                Hi,

                                Thanks.

                                I conclud that :

                                -Our cerificate is just for server.

                                -We have nothing to do for this renew on JAR files.

                                Am I correct ?

                                Regards.

                                • 14. Re: Renew verisign certificate
                                  handat

                                  yes, correct.

                                  1 2 Previous Next