OS4X Core - Regenerate certificate request

From OS4X
Jump to navigation Jump to search

In case of an expiring or expired certificate, you need to re-request a certificate at a given CA. Using OS4X's built-in capability to regenerate a certificate signing request (CSR) from an existing certificate is the easiest way to do this task.

Requirements

The following requirements must be met before this described process may work:

  • You already have a certificate and private key combination uploaded to the "CSR" management panel, say: you have a green line indicating that you have such an entry.
  • Latest version of OS4X is installed.
  • Your webserver (PHP) is able to communicate to the internet via https

If no communication is possible, you can manually download the CSR and send it to us via eMail to support@os4x.com, but the most common way is the direct communication.

Find certificate

In order to re-request a certificate signing request, navigate to the administrative web interface to the menu entry "Certificates" -> "Cert.request". In the new panel, search your certificate you want to use for regenaration and click on the "gear" icon (labeled as "Use certificate of CSR ..."):

Google ChromeScreenSnapz134.png

Issue new CSR

In the new window, click on the button "Regenerate new certificate request based in this certificate". A new private key is used due to CAs that may interfere with existing certificate requests signed with the same key. All textual information (like C, CN, OU etc.) will be extracted from the original certificate.

Google ChromeScreenSnapz135.png

If the issued certificate was issued by the c-works OFTP2 CA, then your request is sent online to the CA, you don't need any interaction.

If the issued certificate was not issued by the c-works OFTP2 CA, then you have to download the CSR with the "Save" icon .

Receiving certificate

Issueing certificates is a manual process, thus it takes 2-2 business days to complete. You will receive your certificate to the e-mail address which was provided in the request field "e-mail address". The certificate file will be sent in an eMail attachement. Upload the certificate file in the CSR panel via the "Upload certificate" button:

Image-CertRequest7.png

Your line of the corresponding certificate request will instantly turn green:

CertRequest8.png

Use the certificate

With a green line, you can use this issued certificate (in combination with your private key) for any security operation in OFTP2. To ease up the configuration, click on the 5th icon on the left labeled with "Use certificate...". A new panel opens:

CertRequest9.png

If your configured OFTP2 TLS server certificate is writable by the webserver, you can easily write a new version of that file. A backup of the old file will be made, if possible (give the webserver write permissions to the directory where the certificate file is configured to). Afterwards, restart your OS4X daemons in order to activate the new certificate (active transfers are not affected).

If you have OFTP2 security enabled (secure authentification, file encryption, file signing or signed EERPs) for all, some or even one partner, you can use the buttons and comboboxes below in order to activate this certificate as an instant or future replacement of your current configuration. The certificate will then be saved in the partner's configuration and the partner is being informed by this change with an Odette OFTP2 certificate exchange mechanism. You can use the button "Inform all relevant OFTP2 partners (with OFTP2 security options enabled)" in order to inform them about your new certificate. This process will send the new certificate as a future replacement to the partner via OFTP2. The partner must be able to support the Odette certificate exchange mechanism.

When using the button "Inform all relevant OFTP2 partners", the certificate will only sent to these partners which have security optioons enabled in the OFTP2 protocol configuration. The automated mechanism sends the new certificate to these partners via OFTP2, inserts these values as inactive cipher suite variable values in the partner configuration. After having received the acknowledgement of the certificate exchange, OS4X activates the new certificate.