SSL Certificates

[fuzed]

Hi all, I currently use globalsign for my SSL certificates, which are self signed etc, but I find I struggle to update then on the server every year, for one reason or another (mostly finding the private/public key combos) and getting things to 

Can I get a certificate from another provider instead of renewing the current one, that will be easier to use with Intella? 
Any suggestions/guidance is appreciated. 

[ŁukaszBachman]

Hi Fuzed,

Over pas few years we have been using these providers without a problem:

• https://www.namecheap.com/security/ssl-certificates/
• https://ssl.comodo.com/
• https://pl.godaddy.com/web-security/ssl-certificate
• and few others

When the time allows, I think I'll revise the idea of using Lets Encrypt too. I think it may be beneficial in the long run.

[fuzed]

Thanks Lukas,

Does that mean I do not need to renew, and can just create a new certificate?

I hate having to use Java keystores they are hard work if you do not have the right private/public keys.

[ŁukaszBachman]

Yes,  you can create a new certificate from scratch, but you always need to have private key.

My standard procedure is more or less the following:

• I try to do this a couple of weeks in advance, to avoid stressful situations when I'm tight on time
• I'm always in posses of a private/public key pair. I am very rigorous about it, saving them in encrypted & password protected database.
• Whenever I need to re-issue a certificate, I will create a new keystore using Intella Connect UI and will provide my private & public key pair.
• I later generate CSR, submit it to CA for signing.
• Then I include certs I got in reply by adding them through Connect UI (intermediates & root).
• I verify that keystore looks OK in Connect UI, and later activate it.

This gives me the option to use any CA for signing because I am always in control of my key pair.

 

BTW, if you ever need to troubleshoot Java Keystores, this is a nifty tool: http://keystore-explorer.org/ It allows to inspect/modify/convert anything related to keystores or certs.

[fuzed]

Thanks Lukas,

Sorry for all the questions, I do not understand SSL certs and Keypairs well enough yet.

Do I need to use my OLD private key, or can I generate a new one?

[ŁukaszBachman]

This forum may not be a good place to get into too much details about the basics of SSL, but since you are an active member I'd like to help out a little  So some basics below:

• you start with generating a key pair (private & public). That pair contains some information about your identity (like domain name, street, city, state, country, etc.)
• then you generate a CSR (Certificate Signing Request) for this unique keypair. This step assures that you don't hand off your private key to a 3rd party which will do the signing. This 3rd party is called Certificate Authority. Some corporations having large IT departments use in-house CAs, but most of the world uses public CAs (like GoDaddy). CSRs are temporary in this entire process. Once CA signs your cert (next step), it will have no further use.
• the CA signs your CSR with their own public key. This is like a stamp of approval saying "we trust this company, and if we ever stop trusting them we will invoke their certificate". This helps to establish a chain of trust where bigger, more trust worthy institutions acknowledge the authenticity of smaller entities.
• in reply, CA will now send you your SSL certificate as well as some of their own certificates (usually two) that form the upper portion of the chain of trust
• at this point you have all you need: your private key, your certificate (which is tightly relate to your keys via CSR) and a few extra certs of CAs. All this information allows for the traffic to be encrypted and for the validation of the chain of trust.
• in Connect (and other Java applications) all these are kept in a keystore, which is like an encrypted database to keep everything safe

So, knowing those basics, let's get back to your question.

> Do I need to use my OLD private key, or can I generate a new one?

Yes, you can re-use your old keys to generate new CSRs and obtain new certificates.

However, if you are creating a new keystore in Connect UI it will ask you do you want to start from scratch (new keypair is then generated) or do you want to import existing ones (in case you already purchased a certificate before you started Connect integration).

I personally prefer to create a new keystores from scratch each year, which I consider safer than relying on same keys for many years.

Hope that helps!

[fuzed]

Thank you Lukas, you've been very helpful.

I've used Namecheap to create a new keystore and will do the same each year, as it seems to be much easier that messing around with the Java Keystores.
 

[ŁukaszBachman]

Ok, that's great to hear. Just keep in mind that Connect always creates those keystores to keep everything secure. So in case you ever have any problem, manually fixing the keystore is also an option. Good luck!

[fuzed]

I'll keep that in mind.

 

Thank you, all sorted for another year.