I have a certificate that is about to expire and have down loaded the new cert in .cer format. Since this is a renewal, do I need to create a CSR again from my server and rekey the certificate through my CA, or is there a simple way to update the cert without a new private key?
P.S. This is IFS Apps 10, UPD8 running under Windows Server 2016
+20
Hi
I hope you are raising this question in relation to IFS applications and configuring IFS with the new certificate. If so, you will have to re-configure the IFS application again when there is a change in certificate. Regarding creating the certificate to include the code signing certificate, I think you will have to create a new CSR as well.
Thanks,
Kasun
Thank you!
Is there a tool in IFS to create the CSR, or does that have to be done using another tool such as the Windows Certificate store?
+20
Is there a tool in IFS to create the CSR, or does that have to be done using another tool such as the Windows Certificate store?
No there’s in no tool in IFS IFS to create a a CSR in ifs, but the IFS installer provides the capability to create a self signed certificate which can be used for code signing from the installer. But I hope you are raising this question with regards to a PROD where using a self-signed cert is not recommended.
This is a “non-production” environment, but that last time we tried a self-signed cert, it failed when applying UPD. Are there any more detailed instructions on how to perform the update? I have searched https://docs.ifs.com/techdocs/, these instructions do not seem very detailed. I have checked with my CA, and they have no knowledge of IFS. When I download the new cert, I get two (2) .crt files and one .pem file. I have tried using the Java “keytool”, but this seem to only “import” and I cannot export the p12 file from the keystore.
+20
This is a “non-production” environment, but that last time we tried a self-signed cert, it failed when applying UPD. Are there any more detailed instructions on how to perform the update?
Are you requesting more information regarding how to install the IFS UPD with a self -signed certificate? If yes, the installation instruction document provided with the Update should cover the installation instructions in detail.
I have searched https://docs.ifs.com/techdocs/, these instructions do not seem very detailed. I have checked with my CA, and they have no knowledge of IFS. When I download the new cert, I get two (2) .crt files and one .pem file. I have tried using the Java “keytool”, but this seem to only “import” and I cannot export the p12 file from the keystore.
You do not have to manually import the certificate to java keystores unless there is a special scenario like a integration scenario. Usually the self-signed certificate creation and importing should be handled by the installer itself when used. for a vendor certificate to be used with IFS, a domain certificate with code signing should be used and I think there are some topics around that topic already in IFS community, I will try to search and post some for your reference.
Edit:
Here are some topics:
In case if you don’t have access to 2. :
Q:
One of our customers has following questions.
"I am being told that you cannot have one certificate that does both. The X.509 standard does not allow
that. According to the X.509 certificate specification, you cannot use a certificate for a purpose other than what is specified.
You can only specify a certificate for HTTPS or code signing, not both.
That being said, which of these options can be done:
1. Purchase a SSL Certificate for HTTPS web encryption, and generate a test certificate for code signing to send to F1Mage.
2. Purchase a SSL Certificate for both HTTPS and Code Signing.."
A:
Some of the CA sites let you select attributes, and there is one for code signing. Sometimes they work without that though, note this this is IFS dependent.
I have read through all of the referenced material and still find myself wanting more detail. One post references:
But there is not enough information to effectively run the script “update_http_certificates”. I am positive that I have the correct password for the .pfx file contains my certificate, yet it produces the error ”WARNING: Unable to update truststore! java.io.IOException: Keystore was tampered with, or password was incorrect
update_certs finsihed with errors!” It prompts for “OHS password”, then it prompts for “Password”, are these the password that I created when I exported the certificate and private key to the .pfx file? I wish that the IFS documentation would explain each prompt to clarify what entry is expected.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
