Tjyylli

The difference between dialogue marks

Can withdrawing asylum be illegal?

Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?

How to quickly solve partial fractions equation?

Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?

Finding the area between two curves with Integrate

Worn-tile Scrabble

Output the Arecibo Message

Why can't devices on different VLANs, but on the same subnet, communicate?

Variable with quotation marks "$()"

Dropping list elements from nested list after evaluation

The phrase "to the numbers born"?

Why is this code so slow?

Ubuntu Server install with full GUI

Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?

How do PCB vias affect signal quality?

Can there be female White Walkers?

Is it okay to consider publishing in my first year of PhD?

What does もの mean in this sentence?

How do you keep chess fun when your opponent constantly beats you?

"as much details as you can remember"

A word that means fill it to the required quantity

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

What to do when moving next to a bird sanctuary with a loosely-domesticated cat?

How does one change the certificate and key for https

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

3

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.

The server key is 4096 bits. The old CA root
private key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate x509

share|improve this question

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

add a comment | 

3

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.

The server key is 4096 bits. The old CA root
private key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate x509

share|improve this question

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

add a comment | 

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.

The server key is 4096 bits. The old CA root
private key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate x509

share|improve this question

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

edited 13 hours ago

kubanczyk

10.6k22945

edited 13 hours ago

kubanczyk

10.6k22945

asked yesterday

James B. ByrneJames B. Byrne

1746

asked yesterday

James B. ByrneJames B. Byrne

1746

1 Answer
1

active

oldest

votes

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited yesterday

answered yesterday

Aroly7Aroly7

33415

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.
  
  – James B. Byrne
  14 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-https%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited yesterday

answered yesterday

Aroly7Aroly7

33415

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.
  
  – James B. Byrne
  14 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited yesterday

answered yesterday

Aroly7Aroly7

33415

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.
  
  – James B. Byrne
  14 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited yesterday

answered yesterday

Aroly7Aroly7

33415

share|improve this answer

edited yesterday

answered yesterday

Aroly7Aroly7

33415

answered yesterday

Aroly7Aroly7

33415

answered yesterday

Aroly7Aroly7

33415