Updating an expired ssl certificate

Issue #367 resolved
Marconi Madruga
created an issue

Hello all.

I just inherited the infrastructure setup of the lab where I am working and I am inexperienced with SSL auth so forgive me if I say something stupid. Our scm manager's SSL certificate expired and I tried to create a new one and update it. After some struggling, I created a new keystore with a new private key, generated a matching csr, got a signed certificate from start ssl. However, when I restart the scm server and try to access it from the web browser it says it can't be trusted anymore and when I check the certificate it says it was issued by the own server, instead of the CA (Start ssl). I guess the server is not sending the correct newly signed certificate?

Any ideas on what am I doing wrong?

Thank you for your time!

Comments (10)

  1. Marconi Madruga reporter

    Hello, thanks for the answer.

    Yes, I did, inside my keystore.jks file (which is in scm-server\conf) now there are 4 entries, the private key, the signed certificate, the ca and the ca.sub certificates. It keeps showing me the wrong chain of authentication (does not show CA and sub, but my domain as the root).

  2. Marconi Madruga reporter

    Hi, it gives me:

    Loading 'screen' into random state - done CONNECTED(00000180) depth=0 O = .net, O = globallabproject, CN = scm.globallabproject.net verify error:num=18:self signed certificate verify return:1 depth=0 O = .net, O = globallabproject, CN = scm.globallabproject.net verify return:1

    Certificate chain 0 s:/O=.net/O=globallabproject/CN=scm.globallabproject.net i:/O=.net/O=globallabproject/CN=scm.globallabproject.net

    Server certificate -----BEGIN CERTIFICATE----- MIIDOTCCAiGgAwIBAgIEQkKMZTANBgkqhkiG9w0BAQsFADBNMQ0wCwYDVQQKEwQu bmV0MRkwFwYDVQQKExBnbG9iYWxsYWJwcm9qZWN0MSEwHwYDVQQDExhzY20uZ2xv YmFsbGFicHJvamVjdC5uZXQwHhcNMTMwNDA5MTAyNjIxWhcNMTMwNzA4MTAyNjIx WjBNMQ0wCwYDVQQKEwQubmV0MRkwFwYDVQQKExBnbG9iYWxsYWJwcm9qZWN0MSEw HwYDVQQDExhzY20uZ2xvYmFsbGFicHJvamVjdC5uZXQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCwFg9Zg1GFz/DMYR95moIdeSgCgGEyiwAylxy7Ycnn jB3jW7IoBgTGOrS1HpgIkyVuwPAOSq84ws473jdHmeNO7cjUYEwfCaqpFz/NArL3 NLxr3kklIJCCDYX3ud1E0+kiJCCGR/fOvQJkOJ2UkauioQQvR0iQmfor6AMjyA1J MySPJiTTv/Ozwz9+xH4Rheg2qXek2MN8YFjz+O0JejI8xIeXQuwk2y1U5QM/KMw+ GShoIpX0eX+Zq7VnXuihXQKrI2KUiLiBlOEFNml6s1boBtxOP4ICw/qDAds5DhVM zXQ5O4HjwluhFT+4pyQOL3Wk9/SkCx4Tfk/ylX9KX+4hAgMBAAGjITAfMB0GA1Ud DgQWBBTmgXw6KIy7C1LiPQsggsrfSFF6dTANBgkqhkiG9w0BAQsFAAOCAQEAYBNO zj0yxB8xReJsK1KWT43Qle8ukLztv3TF8WuFbP+GVoM8YaPyGioXHEmiu/iEfkYi AlDu/FO/bd4vD3L7DsMyljHBbZ5UXBvpka0CeXe2cTAxFW/E+RJZxtX5xYc54v3N K1B7VAZHuDb//lFAxpbYOXcrubwSKKlg/V5+jh41mzBGl6ACZuD2qbEXuld6zIWT +kZVLYkDNnefABHVZuWsma/3eE6ctvGUElT+AkWmHg4CQfEbvLYIEabCil/+t8Ui cOjEvtf/BwuIm9vT+5wry5+kwvyDRl3m6RlfuGwRzl+DsPatLgRxY3txoIwhvobZ O7ZGxqIpgkbg4f2SBw== -----END CERTIFICATE----- subject=/O=.net/O=globallabproject/CN=scm.globallabproject.net issuer=/O=.net/O=globallabproject/CN=scm.globallabproject.net --- No client certificate CA names sent --- SSL handshake has read 1401 bytes and written 535 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-DES-CBC3-SHA Session-ID: 516686BA10002C8E287DFD98FD0AE01337A51188B51104931EDCEA0A1A875428

    Master-Key: 5D7AA25ABE630CFC447E37B2B6CCFBB30076274B1AEAED22F3FCF14572DE4AF2

    64321F01543C282D41ACB3EF1BBFA177 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1365673658 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)


  3. Marconi Madruga reporter

    I followed https://forum.startcom.org/viewtopic.php?t=1390 to create a private key, generate a .csr and retrieve the signed certificate. Then I added each of those + the CA certificates to the keystore like the link says.

    Then I noticed that I was using the default keystore and that those need to be in the \scm-server\conf\keystore.jks instead. So I exported everything to another keystore and put it in the \conf\ folder. Then I noticed that since I followed the steps in the link, I changed the alias of the private key to "scm", to match (kind of) what is in https://bitbucket.org/sdorra/scm-manager/wiki/scm-server-ssl.

    I have the .pem (private key), .csr, .crt files... I wonder if I it helps to create a new keystore and reimport everything.

  4. Marconi Madruga reporter

    Woohoo! Thank you very much. It worked :) I didn't know I needed to join everything together in the same chain/file. It looks obvious now why the browser was not showing the whole chain.

  5. Log in to comment