Are those signing certificates or server certificates?
Thank you handat and Srini.
Signing certificates or server certificates ? I do not know the difference enough to answer.
I will generate the like this :
openssl genrsa -out myphysiqmachine_verisign_201609.key 2048 Generating RSA private key, 2048 bit long modulus ......................+++ ............+++ e is 65537 (0x10001) openssl req -new -key ./myphysiqmachine_verisign_201609.key -out myphysiqmachine_verisign_201608.csr. What is it then ? Thanks.
What are your certificates used for? Are they used to encrypt your http traffic to https or are they used to sign your jar files?
I will generate them like this :
openssl genrsa -out myphysiqmachine_verisign_201609.key 2048
Generating RSA private key, 2048 bit long modulus ......................+++ ............+++ e is 65537 (0x10001)
openssl req -new -key ./myphysiqmachine_verisign_201609.key -out myphysiqmachine_verisign_201608.csr.
your http traffic to https or are they used to sign your jar files? Are they differnet ? I think it (or they) should do both: http to https and sign jar files.
What is it then ? Thanks.
You have generated a new private rsa key and then generated a new CSR (certificate signing request) for it which you can sent to a CA for signing.
However, since I don't know what's defined in your openssl.conf file, I do not know what type of certificate you are requesting.
The following command would show the details of your CSR (it will only show the public component of your key, not the private part):
openssl req -in myphysiqmachine_verisign_201608.csr -text -noout
Here is the output of openssl req -in.............
Version: 0 (0x0)
Subject: C=xx, ST=xx, L=xx, O=Informatique xx, OU=xx Systeme, CN=myphysiqmachin.xx.fr/emailAddress=xx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
What can we conclud ? What kind is it?
It looks like a server certificate request for your web/app server since it does not have the
CertSign flag defined for
keyUsage. However, that is optional for a CSR and could be requested when you actually sent it to your CA.
You might want to double check that on your existing certificates. Check the keyUsage flag and see what exists. If it contains CertSign, then its for signing your jars, if it got digitalSignature, then its a server certificate for your app server.
How to check keyUsage flag ?
In 11.5.10,Is there any keystore in $IAS_ORACLE_HOME/Apache/Apache/conf/certs ?
When we recive the certificat we do
cat intermediaire.cer verisign.cer >> ca.crt
mv server.cer server.crt
cp server.crt $APACHE_TOP/Apache/conf/certs/ssl.crt
cp ca.crt $APACHE_TOP/Apache/conf/certs/ssl.crt
I do not see any relation with
You can run the following to display your certificate:
openssl x509 -in ssl.crt -text
However, being a ssl.crt file in apache conf directory tells me that it is a server certificate for your web server.
Doing the steps you just described would allow you to replace your old certificate with the new one you receive from your CA.
However, that's a certificate replace. If you want to actually renew your certificate, then you would need to generate your CSR file with your existing key and not generate a new key like you did before, ie
openssl req -new -key ssl.key -out myphysiqmachine_verisign_201608.csr
where ssl.key is the file defined by SSLCertificateKeyFile in your apache config file.
Alternatively, if you still have your old csr file for your existing certificate, then you can simply use that one to renew your certificate.
Thank you for reply.
We receive three files :
intermediaire.cer ; verisign.cer and server.cer
in verisign : X509v3 Key Usage: critical
Certificate Sign, CRL Sign
in server.cer : X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Then verisign.cer seems to be for jar signing ?
If yes how to use it to sign the jar file ?
Thanks and regards.
No, server.cer is your certificate.
verisign.cer is your CA, and intermediare.cer is the intermediate CA.
Your server.cert is therefore a SSL/TLS certificate for your apache server to allow it to do https.
I conclud that :
-Our cerificate is just for server.
-We have nothing to do for this renew on JAR files.
Am I correct ?