Ĩesky | english
How to renew a certificate
By alkas
CAcert enables to renew an expired certificate, presuming it has not been revocated. Both private and public keys remain unchanged by the renewal process.
If you visit your CAcert account, you can display all the certificates issued, client and server ones.
Assume an example of server certificate renewal, what is more challenging. You will need:
- A computer (mostly a server) with the original, now expired, certificate. The proper private key must be saved there, too.
- A server certificate stored in your CAcert account: select menu Server certificates - View - and under the valid certificates list click the link "View all certificates". The expired and revocated certificates displays. Select from expired certificates one you know, which computer it was created on - thus, where its private key is saved. It is helpful, if you gave the original (now expired) certificate a comment containing its identification including its location.
The process in brief:
- You will renew a certificate in your CAcert account saving the renewed certificate into a file. Note that this certificate does not contain the private key; also, it has another serial number then the original (expired) certificate. (This fact makes impossible to use the MMC module Certificates.)
- Export the expired certificate with the private key from the computer, where the corresponding private key is stored.
- Use Firefox for the assembling (relation) the new certificate with the original private key. (This example uses computer other than the original server.)
- Export the resulting renewed certificate, including the private key, into the backup file.
- Import that file into the server, which will use it (e.g., a webserver).
A CAcert certificate renewal and saving it into a file
Login to your CAcert account. Select from the menu on the right side: Server certificates - View. The page appears containing the list of all your valid server certificates. Click the link "View all certificates" on the bottom of the list.
Select the expired certificate, you will be able to find the private key to, thus you know the computer, where the private key and the expired certificate is located. Press the button "Renew". After a while the page containing the renewed certificate appears. Select its contents:
Copy the contents (Ctrl-C), run Notepad, and create a file with .CER extension.
Insert the certificate contents (Ctrl-V) and save the file. After opening the file you can see some properties of the renewed certificate:
This is your renewed certificate, yet without the private key. Note the new validity period and the new serial number.
Export the expired certificate from the original computer (server)
Now export the expired certificate with the private key from the computer where it is located. Use the Certificates module of the MMC administrative tool. I recommend to export it into a file with such name determined, which contains the name of the original server and the serial number of the expired certificate. You will also need to export all extended properties of the certificate.
The expired certificate is located on system Windows 10. Use the administrative tool MMC with module Certificates, and find the expired certificate in the "personal" certificates of the local computer.
Check the certificate's serial number (here 0x105006) with the information in your CAcert account. It must be an expired certificate you have renewed.
Exporting of the certificate is quite straightforward.
You need to choose the PKCS#12 format (file suffix .PFX), an export with the private key.
Exported certificate should contain all extended properties.
Set the password and filename for export.
Completing the export process (summary and success message).
Create the renewed certificate linked to the private key
Continue your task on a computer with Firefox browser installed; in this example it is a computer with Windows 10 platform.
Run Firefox and select Options from its settings, then Advanced, then Certificates. Select Import in the Certificate Manager window.
Select the .PFX file you have exported, containing the expired certificate with the corresponding private key.
Enter the password you have set twice at export. Continue and import the expired certificate.
The date displayed confirms that this certificate is expired. Now import the renewed certificate.
Both the old (expired) and the new certificates are imported. Also the private key is imported; that key belongs to both certificates. Important is, that the renewed certificate has its corresponding private key, new serial number, and new interval of validity.
Export the renewed certificate to a file
Continue the task with export the renewed certificate with the corresponding private key, thus under Firefox terminology with "backup", where a PEM structured file will be created with .P12 extension.
Again, a good password must be set. The export is completed after you press OK.
Install the renewed certificate and its private key on the target server
Proceed with installing the renewed certificate and the corresponding private key to the server where it will be used. It should be a Windows server 2012; for working in the English locale, a Windows 10 platform was chosen in this example. You will use the MMC administrative tool, the Certificates module.
Select import and choose the file you just have exported. (The transfer between computers can be easier via network in a Windows domain or home/work group. Otherwise, an USB disk can be used.)
Enter the password you have set at export, and mark the key as exportable again.
After the renewed certificate and its private key is imported, you may check the following:
- The complete certificate path was imported (here: renewed server certificate and CAcert root certificate). This is no harm.
- The imported renewed server certificate has its private key and thus the server can use it. You can see it on its icon (key flag) and the sentence "You have a private key, ..." visible if you open the certificate.