SSL Certificate Renewal

Our customer is requiring a renewal of the SSL certificates used on their Gateways. To do this, I have to submit a new CSR. I can generate a CSR from the Web Server section of the Gateway, but the signing authority will not accept it. It seems to use the same Private Key that was presented when we initially generated the certificate.

Is it possible to generate a NEW CSR without taking the webserver offline to do so? It looks like I would need to remove the existing certificate and then create a fresh CSR to request a new certificate.

You would need to use KeyTool or openssl or some other external tool to generate the CSR.

What Kevin said. This is similar to this thread: SSL Cert Switch Over Best Practices

I will link this forum post to ticket IGN-5726 which will allow you to generate a new CSR with a new key pair when the Gateway is in a state where a certificate is already installed.

1 Like

@brownja667 how many gateways are being managed?

If the number is small (say less than 10) manual generation of the CSR might be acceptable. Just remember, it's not just this year, but the year after that and the year after that to infinity and beyond! Not to mention, manual cert handling is full of chances for error and is incredibly annoying.

We have hundreds of gateways (be that good or bad) and what we eventually did was develop a module that interacts with our company internal API service for cert management called CWS (Cryptography Web Service). The module behaves like this:

On a fresh gateway if there is no SSL installed, it will sense that, create a new cert and install it. Gateway from the start will then be available on port 8043.

If a cert is installed but it will expire in 90 days or less, it will renew the cert and install it.

If you're tearing the gateway down and you need to obsolete the cert, it has a way to do that, so expiration alert emails do not come for a cert that no longer need management.

I can't share the module directly, but if anyone is interested in knowing more, I can do a post about it and highlight some of the key points. In order to do something like that you have to have a CA that you can interact with programmatically.




Sounds like a great system! I encourage you to share what you can/want.