KB Article #177923
Extend the validity of self-issued certificates in SecureTransport
Problem
Recreating expired self-issued SSL/TLS certificates when they expire might not be an option in certain situations, due to the recreation of the Private Key. The following instructions show how to extend the validity of certificates using the same key and thus retaining the fingerprint.
Resolution
Note: The "openssl" tool must be available on the OS in order to be able to extend certificate validity. Certain SecureTransport versions ship without the openssl binaries so this article relies on the tool provided by the OS.
SecureTransport keeps the following folder structure to store certificates:
- <FILEDRIVEHOME>/lib/certs - Certificate Public Keys.
- <FILEDRIVEHOME>/lib/certs/private - Certificate Private Keys.
- <FILEDRIVEHOME>/lib/certs/db - CA certificate Key and Certificate.
The name of the certificates are <ALIAS>-crt.pem for public certificates and <ALIAS>-key.pem for Private Keys.
To sign the keys, configuration file <FILEDRIVEHOME>/conf/ssl.ca.conf should be created with the following content. Please change the path in the "dir" variable to match the SecureTransport installation directory.
# # @(#) $Id: ssl.ca.conf,v 1.4 2005/03/12 06:05:07 mparks Exp $ # # Do not delete the SecureTransport VERSION line below. # ~VERSION~ 1 # [ ca ] default_ca = cad [ cad ] dir = /opt/axway/SecureTransport/lib/certs new_certs_dir = $dir/db database = $dir/db/index serial = $dir/db/serial certificate = $dir/db/ca-crt.pem private_key = $dir/db/ca-key.pem policy = policy_match default_days = 365 default_crl_days = 30 default_md = md5 [ policy_match ] countryName = supplied stateOrProvinceName = supplied localityName = supplied organizationName = supplied organizationalUnitName = supplied commonName = supplied x500UniqueIdentifier = optional emailAddress = optional title = optional [ req ] distinguished_name = DN string_mask = nombstr [ DN ] countryName = "Country Name " stateOrProvinceName = "State/Province Name " localityName = "Locality Name " organizationName = "Organization Name " organizationalUnitName = "Organizational Unit " commonName = "Server Host Name " countryName_min = 2 countryName_max = 2
Assuming the SSL Alias that is about to expire is called "test", we can use the following commands to extend its validity.
Navigate to the SecureTransport installation directory:
# cd /opt/axway/SecureTransport
Create a new CSR using the old key. This example below takes the test-key.pem Private Key and uses it to create a new CSR into the temp directory. The validity of the CSR is 365 days and the signing algorithm is SHA256.
# openssl req -new -sha256 -key lib/certs/private/test-key.pem -out var/tmp/test-csr.pem -config conf/ssl.ca.conf -days 365 -subj "/C=BG/ST=Sofia/L=Sofia/O=Axway/OU=Support/CN=test"
Note: The -subj "/C=BG/ST=Sofia/L=Sofia/O=Axway/OU=Support/CN=test" option provides a quick and silent command line option to provide the certificate attributes. This can be omitted to get a prompt to input those values interactively.
FIPS mode for OpenSSL would prevent it from reading the Internal CA Private Key. That is why FIPS should be disabled for the OpenSSL tool.
# unset OPENSSL_FIPS
Sign the new CSR using the Internal CA in SecureTransport. This part is interactive and there would be prompts to input the Internal CA Password and then to confirm signing the CSR. This would create the test-crt.pem file in the temp directory with the extended validity.
# openssl ca -config conf/ssl.ca.conf -out var/tmp/test-crt.pem -in var/tmp/test-csr.pem -days 365 -notext -md sha256
The final step is to combine the old Private Key with the new signed and extended Public Certificate into PKCS12 file:
# openssl pkcs12 -export -in var/tmp/test-crt.pem -inkey lib/certs/private/test-key.pem -out var/tmp/test.p12
The test.p12 file is what should be imported into the Admin UI replacing the old "test" alias.