KB Article #101375
Replacing expiring certificate in SecureTransport, HowTo
Replacing expiring certificate in SecureTransport
Question
The certificate on our SecureTransport (ST) installation is goinf to expire soon. We obtained a new .CER format certificate and tried to import it. Unfortunately, we got the following error: Unable to import the certificate. An incorrect password was supplied or the certificate format is incorrect. How can we import the new certificate?
Answer
You need to generate a CSR on the first Edge server and then use the Finish button to complete importing the certificate. On all other Edge servers, you need to first export the certificate from the primary Edge server and then import it on the other Edge servers.
Importing the newly obtained certificate into each server will not work!
Install the new certificate on the Primary Edge server
Generate the CSR
- Log on to Edge server administrative interface.
- Click on Setup on menu bar.
- Click on the Generate button.
- Select the "Certificate Signing Request (CSR)" radio button.
- Fill in the Common Name (if its blank) with the DNS for the server.
- Ensure the Company is entered appropriately.
- Ensure the State is "OHIO".
- Click Generate.
- Download the CSR on the next page.
- Close the dialog box.
- Note in the administrative interface, there is now a "Pending Local Certificates (CSR)" entry.
Now get the updated certificate.
Install the updated certificate
- Log on to Edge server administrative interface.
- Click on Setup on menu bar.
- Click on the Finish... button for the Pending Certificate.
- Fill in an alias name - maybe ftpd_09 (assuming the certificate expires in 09).
The idea of creating a new alias is so we can go back to the old key if we need. - Browse to the location of the new certificate.
- Click the Finish button.
- Verify the key imported successfully.
Set STE to use the new key (for STE 4.6)
- Log on to Edge server administrative interface.
- Under the FTP/.HTTP Key Alias heading, change the Key Alias dropdown to the new key installed.
- Click Apply.
- Click on the 'AS2 SSH TM DB Proxy' link.
- Under the SSH Server heading, change the dropdown for the SSH Key Alias to the new key.
- Click Update (bottom of the screen).
To apply the changed key (for STE 4.6)
- Log on to Edge server administrative interface.
- In the FTP Server heading bar, click the STOP button.
- Wait a minute or two.
- In the FTP Server heading bar, click the START button.
- In the HTTP Server heading bar, click the STOP button.
- Wait a minute or two.
- In the HTTP Server heading bar, click the START button.
- Click on the 'AS2 SSH TM DB Proxy' link.
- In the SSH Server heading bar, click the STOP button.
- Wait a minute or two.
- In the SSH Server heading bar, click the START button.
- Log out of the administrative interface.
TEST
- In your browser, connect to the Edge server's customer interface.
- When prompted with the certificate, View Details.
- Ensure the correct details are presented.
Install the updated certificate on the Secondary Edge servers
Export the updated key from Primary Edge server
- Log on to the Primary Edge server administrative interface.
- Click on Setup on menu bar.
- Click on the link for the new key.
- Click on the Export button.
- Select the "Export private key" checkbox.
- Enter the password.
- Confirm the password.
- Click Export.
- Save the file to your local hard drive.
- Click Close button.
- Log out of the administrative interface.
Import the key on each Secondary server
- Log on to Edge server administrative interface.
- Click on Setup on menu bar.
- Click on Import button.
- Fill in an alias name - maybe ftpd09 (assuming the certificate expires in 09).
The idea of creating a new alias is so we can go back to the old key if we need. - Fill in the other fields and click Import.
- Verify the key imported successfully.
Set STE to use the new certificate (for STE 4.6)
- Log on to Edge server administrative interface.
- Click on Operations on the menu bar.
- Under the FTP/HTTP Key Alias heading, change the Key Alias dropdown to the new key installed.
- Click Apply.
- Click on the 'AS2 SSH TM DB Proxy' link.
- Under the SSH Server heading, change the dropdown for the SSH Key Alias to the new key.
- Click Update (bottom of the screen).
To apply the changed key (for STE 4.6)
- Log on to Edge server administrative interface.
- In the FTP Server heading bar, click the STOP button.
- Wait a minute or two.
- In the FTP Server heading bar, click the START button.
- In the HTTP Server heading bar, click the STOP button.
- Wait a minute or two.
- In the HTTP Server heading bar, click the START button.
- Click on the 'AS2 SSH TM DB Proxy' link.
- In the SSH Server heading bar, click the STOP button.
- Wait a minute or two.
- In the SSH Server heading bar, click the START button.
- Log out of the administrative interface.
TEST
- In your browser, connect to the Edge server's customer interface.
- When prompted with the certificate, click View Details.
- Ensure the correct details are presented.