LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: how to renew CAS certificates?
From:	"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Tue, 1 Aug 2006 10:52:22 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (71 lines)

Kurt, 

That is a little strange.  However, if Thawte needs the new format, I
would suggest the following procedure:

1) From CAM web console, manage the CAS, go to the Certs section and
export the current private key, the certficate and the intermediate/root
cert (if any - this is typically only for an intermediate chain cert).
Save this somewhere safe.

2) During a maintenance window, generate a new temporary certificate for
the CAS using the UI.  Please make sure that you fill all the fields
correctly.  Once the new certificate is generated, export the new
private key and a CSR (certificate signing request). 

3) During the same maintenance window, import back the old private key,
certificate and intermediate/root cert (if any), verify and upload the
cert and restart the CAS (service perfigo restart or reboot whichever is
easier). 

4) Send the CSR obtained in step#2 for signing. Once you receive the
signed cert back, perform step #3 except with the new private key and
the newly received signed cert. And restart the CAS. 

This should cause minimum downtime. 

Regards,
-Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Kurt Huenemann
Sent: Tuesday, August 01, 2006 9:08 AM
To: [log in to unmask]
Subject: how to renew CAS certificates?

Greetings from sweltering Ohio....

We have been running Clean Access for about a year, and it's now time to
renew our SSL certificates on the CAS pair for the first time (they
expire in 3 weeks).

The CAS administration guide has lots of information in chapter 12 about
doing the INITIAL certificate request and import, but it's not clear to
me how to do a RENEWAL.  We use Thawte, and when we generated and sent a
new CSR, they replied that it had already been used, and we needed to
generate a new one.  Something about Tomcat being different than regular
Apache and therefore not really renewable?

Do I need to generate a new temporary certificate before the CSR?  Won't
that break CCA for current users?

Thanks, in advance, for any clues about the certificate
renewal/replacement process.

Kurt

P.S.  We just upgraded smoothly from 3.5.8 to 4.0.2 on our HA-paired CAM
and CAS.  No show-stopping failures.  Yet.

P.P.S.  Sorry for the accidental cross-posting to RESNET-L.  Meant to
send it here!


Kurt Huenemann
Heidelberg College
Tiffin, Ohio
Office: 419-448-2351
Fax:    419-448-2176
Email:  [log in to unmask]

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU