How does one change the certificate and key for https





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







3















We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



The server key is 4096 bits. The old CA root
private key is 1024 bits (it was issued in 2006).



How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






apache-2.4 ssl-certificate x509







share|improve this question































    3















    We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



    The server key is 4096 bits. The old CA root
    private key is 1024 bits (it was issued in 2006).



    How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






    apache-2.4 ssl-certificate x509







    share|improve this question



























      3












      3








      3








      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



      The server key is 4096 bits. The old CA root
      private key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






      apache-2.4 ssl-certificate x509







      share|improve this question
















      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



      The server key is 4096 bits. The old CA root
      private key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






      apache-2.4 ssl-certificate x509




      apache-2.4 ssl-certificate x509






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 8 hours ago









      kubanczyk

      10.6k22945




      10.6k22945










      asked yesterday









      James B. ByrneJames B. Byrne

      1746




      1746






















          1 Answer
          1






          active

          oldest

          votes


















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            8 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            8 hours ago












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-https%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            8 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            8 hours ago
















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            8 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            8 hours ago














          6












          6








          6







          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer















          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered yesterday









          Aroly7Aroly7

          33415




          33415













          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            8 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            8 hours ago



















          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            8 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            8 hours ago

















          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          yesterday





          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          yesterday













          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          yesterday





          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          yesterday













          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          yesterday





          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          yesterday













          To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

          – James B. Byrne
          8 hours ago







          To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

          – James B. Byrne
          8 hours ago















          If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

          – Aroly7
          8 hours ago





          If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

          – Aroly7
          8 hours ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-https%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Alcázar de San Juan

          Image
          Alcázar de San Juan Flago Blazono Administrado Lando Hispanio Ŝtato Hispanio Regiono Kastilio-Manĉo Provinco Ciudad Real (Reĝurbo) Distrikto Kamparo de Sankta Johano Komarko Manĉa Centro Patrono Kronita Virgulino de la Rozario Poŝtkodo 13600 [+] Retpaĝaro [1] Politiko Loka registaro PP ( Popola Partio ) Urbestro Diego Ortega Abengózar Demografio Loĝantaro 29,693 (en 2 010) Loĝdenso 44,53 loĝ./km² Geografio Koordinatoj 39°23′25″N 3°12′20″U   /   39.39028°N , 3.20556°U  / 39.39028; -3.20556  ( Alcázar de San Juan ) Alto 644 m Ŝablono:Informkesto urbo/zorgado/numero Areo 666.78 km² Ŝablono:Informkesto urbo/zorgado/numero Horzono UTC+01:00 [+] DMS Alcázar de San Juan Alia projekto Vikimedia Komunejo Alcázar de San Juan [+] v   •   d   •   r Urbodomo Statuo de Cervantes Preĝejo de San...
          Read more

          Griza ansero

          Image
          Griza ansero Okcidenta griza ansero ( Anser anser anser ) Biologia klasado Regno: Bestoj Animalia Filumo: Ĥorduloj Chordata Klaso: Birdoj Aves Ordo: Anseroformaj Anseriformes Familio: Anasedoj Anatidae Genro: Ansero Dunomo Anser anser (Linnaeus, 1758) Konserva statuso Konserva statuso: Malplej zorgiga Subspecioj A. a. anser Okcidenta griza ansero A. a. rubrirostris Orienta griza ansero A. a. domesticus Endomigita ansero Aliaj Vikimediaj projektoj Sistematiko en Vikispecioj Komunejo pri Griza ansero v   •   d   •   r La Griza ansero ( Anser anser ) estas granda birdo (75–89 cm) el la familio de Anasedoj, kun ampleksa teritorio en la Malnova Mondo. Ĝi estas la tipa specio de la genro Anser . Ĝi estis en antaŭ-Linea tempo konata kiel Natura ansero ("Anser ferus"). Ĉefe tiu specio estas praulo de la Bredansero en Eŭropo kaj Nordameriko, iel ku...
          Read more

          Heinkel He 51

          Image
          He 51B de la Bulgara Aerarmeo He 51C de la 3/J 88 Adolf Galland -Legión Cóndor- en la Hispana Enlanda Milito. La Heinkel He 51 (He 51) estas biplana ĉasaviadilo de Heinkel, kiu servis en la Germana Aerarmeo (Luftwaffe) meze de la 1930-aj jaroj. La totala produktado de la He 51, en ĉiuj versioj, estas de ĉirkaŭ 800 aparatoj konstruitaj de Heinkel, Arado, Erla kaj Fieseler. Post malmulte da tempo la He 51 iĝis eksmodaj, kaj inter 1937 kaj 1938 ili estis retirataj de la Jagdgeschwader (ĉasaviadilgrupoj) de la Luftwaffe kaj estis uzataj nur por taskoj de trejnado dum granda parto de la Dua Mondmilito. La last versio laŭnombre grava estis la He 51C-1 , destinata al misioj de atako al grundo, por kio ĝi alportis ŝarĝeton de bomboj. This page is only for reference, If you need detailed information, please check here
          Read more