How does one change the certificate and key for https The 2019 Stack Overflow Developer Survey...

The difference between dialogue marks

Can withdrawing asylum be illegal?

Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?

How to quickly solve partial fractions equation?

Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?

Finding the area between two curves with Integrate

Worn-tile Scrabble

Output the Arecibo Message

Why can't devices on different VLANs, but on the same subnet, communicate?

Variable with quotation marks "$()"

Dropping list elements from nested list after evaluation

The phrase "to the numbers born"?

Why is this code so slow?

Ubuntu Server install with full GUI

Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?

How do PCB vias affect signal quality?

Can there be female White Walkers?

Is it okay to consider publishing in my first year of PhD?

What does もの mean in this sentence?

How do you keep chess fun when your opponent constantly beats you?

"as much details as you can remember"

A word that means fill it to the required quantity

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

What to do when moving next to a bird sanctuary with a loosely-domesticated cat?



How does one change the certificate and key for https



The 2019 Stack Overflow Developer Survey Results Are InInstalling SSL Thawte Certificates for tomcat from pre-generated Private KeyConfigure Apache to serve proper certificate chainJava keystore: How to import the ca certificates correctly?VeriSign G5 Root Certificate - PayPal IPNHow to use your ssl certificate and key from your website with activemq console?How to fix issues with LetsEncrypt certificate chains on Windows Server?Why does OpenVPN give the error: “unsupported certificate purpose” for an intermediate certificate?Why might a ssl certificate fail to validate after the root certificate was installed?Re-issuing self-signed root CA without invalidating certificates signed by itNode js: Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







3















We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



The server key is 4096 bits. The old CA root
private key is 1024 bits (it was issued in 2006).



How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.










share|improve this question































    3















    We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



    The server key is 4096 bits. The old CA root
    private key is 1024 bits (it was issued in 2006).



    How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.










    share|improve this question



























      3












      3








      3








      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



      The server key is 4096 bits. The old CA root
      private key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.










      share|improve this question
















      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.



      The server key is 4096 bits. The old CA root
      private key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.







      apache-2.4 ssl-certificate x509






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 13 hours ago









      kubanczyk

      10.6k22945




      10.6k22945










      asked yesterday









      James B. ByrneJames B. Byrne

      1746




      1746






















          1 Answer
          1






          active

          oldest

          votes


















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            14 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            13 hours ago












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-https%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            14 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            13 hours ago
















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer


























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            14 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            13 hours ago














          6












          6








          6







          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer















          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered yesterday









          Aroly7Aroly7

          33415




          33415













          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            14 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            13 hours ago



















          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            yesterday











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            yesterday











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            yesterday











          • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

            – James B. Byrne
            14 hours ago













          • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

            – Aroly7
            13 hours ago

















          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          yesterday





          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          yesterday













          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          yesterday





          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          yesterday













          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          yesterday





          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          yesterday













          To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

          – James B. Byrne
          14 hours ago







          To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one.

          – James B. Byrne
          14 hours ago















          If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

          – Aroly7
          13 hours ago





          If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire.

          – Aroly7
          13 hours ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-https%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...