Networking

The pains and pitfalls of renewing SSL certificates--part 2

Older hardware may not support the changing requirements of the Web security industry. Mark Pimperton describes his renewal of the SSL certificate for a VPN appliance.

Having overcome a few hurdles with renewing the SSL certificate for my IIS7 / Exchange server, I felt ready to tackle the same job for my dedicated SSL VPN box, a Billion BiGuard S20 (now superseded).

Certificate Signing Request (CSR)

Past experience told me I'd have to be armed with a CSR when I went to the vendor's web site, so I logged in to the device, navigated to SSL VPN/SSL Certificate and clicked Generate CSR. Although I hadn't been involved with the original installation, we're pretty meticulous about documentation so I was able to copy the necessary information into the dialogue box before clicking Apply (Figure A).

Figure A

Generating a CSR on the VPN appliance

NOTE: A self-signed certificate is a lot easier but not very secure. Self-signed certificates will give you access to the system but will always present a security warning to the user. We do use them in low-risk circumstances, e.g. where access is only internal or where the source and destination IP addresses are specified in our firewall rules.

The CSR generation creates a zip file containing the CSR and the key (password). I went to the vendor Web site and started the purchase process, completing all the usual details and specifying that I wanted to renew for two years. When I was asked for a CSR I selected "I Already Have My Own CSR" and pasted the CSR in from the "server.csr" file generated previously.

Unfortunately this gave me an error message saying:

"Your CSR contains a key size that is no longer considered secure. Security best practices require a minimum key size of 2048 bits. Please submit a new CSR with a minimum 2048 bit key size."

On checking, I found that 1024 was the largest New Key Pair Length I could specify in the CSR generation dialogue on the S20. No option for 2048 bits. Now what?

Back on the Trustico site, underneath the error message I noticed an option for the site to generate a CSR for me so I chose "I'd like Trustico to generate my CSR instantly". Having completed the required fields, of which the Domain Name is the most important, a CSR Verification screen appeared asking me to confirm the domain name I wanted the certificate for. This screen also told me the expiration date of the old certificate, showing that the system had recognised the domain name and knew it was due for renewal. I clicked Continue and all seemed well.

Verification and payment

After providing an email address for verification purposes, confirming the Subscriber Agreement and checking the order details, the order was finally complete. I paid by credit card and received one email confirming the payment and another requesting approval. I followed the link and clicked Approve, and the Web page showed me this message:

"Your order is pending a final quality review prior to issuance. This review is normally completed within one business day. For more information on why your order was selected for final quality review visit our FAQs at https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9246"

This seemed a little odd, but after a day I was sent a further email saying all was well and telling me how to use the Trustico tracking system to view the main certificate, intermediate certificate and private key.

Phew.

Installation

Unsurprisingly, the various installation instructions on the Trustico Web site didn't include my specific device. I'm also assuming that most people won't be working with this particular device (since Billion is relatively obscure and the S20 is no longer manufactured) so I'll spare you the detail.

In summary, the S20 manual told me how to import a certificate but I had no idea what to do with the intermediate one. Nevertheless, I created two import zip files, one containing the main certificate and the password and another with the intermediate certificate and the (same) password. The import process worked for both and the password was accepted. In the list of current certificates I then clicked "Enable" for what I took to be the "main" one (as opposed to the intermediate one), judging from the expiry date. The box said it was restarting the SSL VPN service but then appeared to hang up, eventually needing a forced restart. When I logged in, it was still using the old certificate. I tried again, with the same result.

I contacted the manufacturer, who told me that the hardware couldn't support a 2048-bit certificate.

Try again

I explained to Trustico what had happened and asked for advice. How could I switch to a 1024-bit certificate? The initial response wasn't too helpful so I resorted to asking for help on the Spiceworks Community. I actually got a response from Trustico on that thread, but in the meantime I'd been advised to start again and buy a new certificate from scratch. (This meant writing off the modest cost of the 2-year one.)

I steeled myself and launched into the process again, this time specifying a 12-month certificate and pasting in my own 1024-bit CSR, which was accepted. After repeating the import on the S20 I was able to successfully enable the new certificate, which is good until summer 2013. At that point nobody will sell me a 1024-bit certificate so my S20 effectively becomes junk and we'll be looking for a new SSL box.

Summary

In order to renew the certificate for my hardware I had to restrict it to 12 months - and throw away the 24-month certificate I'd already bought. By the end of 2013 all SSL certificates will have to be at least 2048 bits.

About

Mark Pimperton BSc PhD has worked for a small UK electronics manufacturer for over 20 years in areas as diverse as engineering, technical sales, publications, and marketing. He's been involved in IT since 1999, when he project-managed implementation ...

2 comments
Vern Anderson
Vern Anderson

You should not have had to "write off" the cost of the screw up. Most vendors will let you revoke and renew under the same bill. I work with Verisign (Symantec) and Thawte all the time and when customers order the wrong thing they never get billd for the mistake just revoke-renew. I can't speak for Equifax and Godaddy and all the other Verisign wannabees. =)

mark1408
mark1408

The cert was cheap and I was offered "cancellation insurance" for a few £ more but declined it. I can't really complain. For something like a wildcard cert which costs significant money I'd be more careful.