So, my SSL certificate is about to be expired soon (in 2 weeks). I have just successfully issued a renew certificate yesterday, but when I check my website, it still shows the old certificate. Is there a way to just use the new certificate like maybe deleting the existing one? And if the existing certificate expired, does it automatically use the new one?
Here is the screenshot of my complete installation of the new certificate:
Installation complete
I followed the guide on how to renew the certificate based on this link: https://help.zerossl.com/hc/en-us/articles/360060119813-Renewing-an-SSL-Certificate
PS I'm using an IP address website, that's why I chose zeroSSL.
Tried contacting the zeroSSL team but no answers.
Related
I just created a new SSL certificate with GoDaddy. I imported this certificate into IIS 8.0.
Then I checked all existing sites and their SSL certificate. Everyone has its own certificate. So far, so good.
Now I want to add the new imported certificate to a new site. But everytime when I do this, an "error" comes and says that there is an existing site that uses the same certificate. But before that I checked all sites and I haven't seen the same certificate.
If I click on "do it anyway" it changes the certificate of an other site to the new certificate that I just imported. So as a result two sites are using the same certificate now.
How can that happen? Is there a possibility that these two sites have a kind of a connection? Did I do something wrong with the import?
I absolutely have no idea.
Thank you.
PS: Even if I apply for a new certificate, I still get the same result.
PS: Could it be because of two different SSL distributors? One is Symantec and the other one is GoDaddy.
PS: This is the first GoDaddy certificate that I try to install after the Symantec one.
You might be using the same IP and port for all the url's configured on IIS 8. If that's the case, then you have to mention the exact URL in the Hostname section when you bind the certificate as per image below.
Also Make sure you put a tick mark to REQUIRE SERVER NAME INDICATION and then select the correct certificate from the dropdown in the SSL Certificate section.
We are required to add certificate for https://www.googleapis.com/youtube/v3/videos to our trusted certificates on our servers for complying with security policies.
We noticed that the certificate expires on the 24th of November,2016. Can someone help with a support team mailing list which we can contact to get the new certificate in advance so that there is no outage for the functionality.
Thanks
I think you are missing a basic concept of TLS: the role of a certificate issuer.
You usually don't lock yourself to a specific certificate for a site and hope that somebody will provide you with the new certificate up front if the old certificate expires and that you then can change all your clients to accept this new certificate. This simply would not scale.
Instead you trust an issuer (CA - certificate agency) to issue a certificate for a specific site. Then you check for any certificate you got that the trust chain to your locally trusted certificate is fine and that the subject of the certificate matches the site you access. The same CA certificate (or at least the public key inside) will be used for many years to issue new certificates, contrary to leaf certificates which are only valid for 1..3 years or even a few month only to reduce the risk of compromise.
In summary: Don't expect anybody to tell you up front when they issue a new certificate because nobody will tell you. Instead do it like everybody else and trust a CA.
TL;DR: you can't. Validate the certificate using CA list.
Google already use a pinning mechanism in chrome:
https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
But www.googleapi.com is not pinned in that list (only translate.googleapis.com), it means google didn't ensure anything about his keys/certificate/certificate chain. So you can't pin it without taking the risk to break something, even before the renewal: they could change the certificate and/or the chain without notice.
we have a website on a dedicated server with iweb.com. Our SSL certificate is purchased through Godaddy and expiring soon, so it’s time to get it updated. Iweb has a general article on how to install ssl certificates (https://kb.iweb.com/entries/21117106-Installing-SSL-certificates) but it’s not detailed so there are still some questions about that.
GENERATING A CSR AND INSTALLING A SSL CERTIFICATE:
“In order to get a SSL certificate, you need to create a Certificate Signing Request (CSR) and send it to the Certificate Authority.”
- Does it mean I can create a certificate myself for free, and don’t have to purchase it through godaddy or any other service? If yes what is the difference? And if I already have a certificate should I skip the certificate generating step and start with the installation?
FOLLOW THIS PROCEDURE TO INSTALL THE SSL CERTIFICATE:
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
Thank you!
Does it mean I can create a certificate myself for free, and don’t
have to purchase it through godaddy or any other service?
Well, you can get a self-signed one for free, But, if people are visiting your website, there will be a HUGE alert on their browser, and try to stop them from browsing.
And the Certificate Signing Request is not actually a Cert! (well, it does contain your public key, and some other information)
The difference between a self-signed and public-CA-signed one is just like your school ID and your passport, the school ID only valid in a small community, and the passport is recognized by the general public as a personal ID.
See: How to create a self-signed cert in Ubuntu with Apache Using OpenSSL
If your think the price for Godaddy is too high, you may try something cheaper like PositiveSSL or RapidSSL, which is only around 10 USD/year/domain
And there is also a free one: StartSSL
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
No, just the web server you wish the general public to be able to visit.
if there is a web interface for the email (like Gmail) or CPanel, you may have to create a ssl for them as well.
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
You should update it. if you haven't renew and update it, the browser will try to block your visitors with a HUGE alert again after the expiration date.
We use a multi-domain SSL certificate. Each time we add more client URLs, we obtain a new version of the certificate (with the newly added domains) and complete the request on a specific machine that the certificate request was originally created on. The single machine that the CSR was generated was formatted recently. Are there other method(s) that we could complete the certificate requests without that machine being available? Are there better ways of doing this by not being dependent on any single machine?
Please note that by creating a new CSR on another machine, we will need to ask all our clients to validate this new SSL and that is something we would not want to do.
Update 1
We got the certificate and the private key from another machine that was using it and imported them to our server. Whenever we try to "Request Certificate with New Key" in certmgr, we get "Enrollment Error - The request contains no certificate template information". How do we resolve this?
I created ssl certificate using IIS 5.1 and generated a file certreq.txt. Now what is the next step to use this file. I am a developer and working on a site that is host on my local machine. Is is necessary to get license from any CA?
Please guide me ASAP.
You can create a self-signed cert, but that will not be very elegant for end users if this is a public website as there is the prompt about cert validity. Otherwise, yes you need to obtain a cert from a CA. I find the best is Verisign, although DEFINITELY not the cheapest. Others are Godaddy, CheapDomain, and pretty much any registrar can help with it.
The link is for 5.1, but you can find tutorials on all versions. For testing I would go the self signed route.
The certificate generated from IIS, is a self-signed certificate, which can be used to test your website. However, if you run a public website from a self-signed certificate, every user will get a warning that the site is not safe. You will eventually need to get a license from a CA when you are ready to publish your site. Your domain host should provide an SSL certificate service, for something like $50-150/yr.
You can either self sign the certificate or send it to the CA to avoid the do-not-trust this site prompt. SSLTools Manager is a nifty app that can send your csr to a CA. Not sure about the self-signing feature though.