How does one change the certificate and key for a web service with Strict-Transport-Security established The 2019 Stack Overflow Developer Survey Results Are InImport private key and certificate into Tomcat?Windows 2008 R2 Active Directory + NDES CA, OpenSSL clients renewing certificatesCan I get anSHA-256 certificate when the CSR is for SHA-1?How to fix issues with LetsEncrypt certificate chains on Windows Server?OpenSSL - Add Subject Alternate Name (SAN) when signing with CAActive Directory, wildcard security certificate, and remote accessIssue SSL certificate - no private key optionHow is a self-signed certificate different from a certificate signing request?Re-issuing self-signed root CA without invalidating certificates signed by itFirefox Certificate Authorities: Where is 'Google Internet Authority G2'?

Can a flute soloist sit?

What tool would a Roman-age civilization have for the breaking of silver and other metals into dust?

How to deal with fear of taking dependencies

How to type this arrow in math mode?

Multiply Two Integer Polynomials

Why do UK politicians seemingly ignore opinion polls on Brexit?

Return to UK after being refused entry years previously

Is an up-to-date browser secure on an out-of-date OS?

Should I use my personal e-mail address, or my workplace one, when registering to external websites for work purposes?

If a Druid sees an animal’s corpse, can they wild shape into that animal?

Are spiders unable to hurt humans, especially very small spiders?

Why is the maximum length of OpenWrt’s root password 8 characters?

Have you ever entered Singapore using a different passport or name?

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

Where to refill my bottle in India?

"as much details as you can remember"

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

What is the meaning of Triage in Cybersec world?

What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?

What is the accessibility of a package's `Private` context variables?

Is flight data recorder erased after every flight?

Earliest use of the term "Galois extension"?

How can I autofill dates in Excel excluding Sunday?

When should I buy a clipper card after flying to OAK?



How does one change the certificate and key for a web service with Strict-Transport-Security established



The 2019 Stack Overflow Developer Survey Results Are InImport private key and certificate into Tomcat?Windows 2008 R2 Active Directory + NDES CA, OpenSSL clients renewing certificatesCan I get anSHA-256 certificate when the CSR is for SHA-1?How to fix issues with LetsEncrypt certificate chains on Windows Server?OpenSSL - Add Subject Alternate Name (SAN) when signing with CAActive Directory, wildcard security certificate, and remote accessIssue SSL certificate - no private key optionHow is a self-signed certificate different from a certificate signing request?Re-issuing self-signed root CA without invalidating certificates signed by itFirefox Certificate Authorities: Where is 'Google Internet Authority G2'?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








4















We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.



Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).



How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






apache-2.4 ssl-certificate







share|improve this question






























    4















    We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.



    Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).



    How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






    apache-2.4 ssl-certificate







    share|improve this question


























      4












      4








      4








      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.



      Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






      apache-2.4 ssl-certificate







      share|improve this question
















      We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.



      Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).



      How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.






      apache-2.4 ssl-certificate




      apache-2.4 ssl-certificate






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 13 hours ago







      James B. Byrne

















      asked 13 hours ago









      James B. ByrneJames B. Byrne

      1746




      1746




















          1 Answer
          1






          active

          oldest

          votes


















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer

























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            13 hours ago











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            12 hours ago











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            12 hours ago











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-a-web-service-with-strict-transp%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer

























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            13 hours ago











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            12 hours ago











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            12 hours ago















          6














          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer

























          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            13 hours ago











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            12 hours ago











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            12 hours ago













          6












          6








          6







          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.






          share|improve this answer















          HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.



          Are you sure you dont mean HTTP Public Key Pinning (HPKP)



          Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 12 hours ago

























          answered 13 hours ago









          Aroly7Aroly7

          1444




          1444












          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            13 hours ago











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            12 hours ago











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            12 hours ago

















          • Yes. I believe that you are correct. I missed the distinction. I will research that instead.

            – James B. Byrne
            13 hours ago











          • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

            – John Mahowald
            12 hours ago











          • The resolution to that would be to add new header to expire after current last header expires.

            – Aroly7
            12 hours ago
















          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          13 hours ago





          Yes. I believe that you are correct. I missed the distinction. I will research that instead.

          – James B. Byrne
          13 hours ago













          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          12 hours ago





          HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.

          – John Mahowald
          12 hours ago













          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          12 hours ago





          The resolution to that would be to add new header to expire after current last header expires.

          – Aroly7
          12 hours ago

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-a-web-service-with-strict-transp%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

          Image
          Is "plugging out" electronic devices an American expression? Does a dangling wire really electrocute me if I'm standing in water? Adding labels to a table: columns and rows Spanish for "widget" Landlord wants to switch my lease to a "Land contract" to "get back at the city" Lethal sonic weapons On the insanity of kings as an argument against monarchy Is there a general name for the setup in which payoffs are not known exactly but players try to influence each other's perception of the payoffs? How long do I have to send my income tax payment to the IRS? Geography at the pixel level Can a zener diode with a higher power dissipation be used in place of the original one in an audio amplifier? How can I make payments on the Internet without leaving a money trail? What can other administrators access on my machine? Understanding the implication of what "well-defined" means for the operation in quotient group
          Read more

          Куамањотепек (Чилапа де Алварез) Садржај Становништво Види још Референце Спољашње везе Мени за навигацију17°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.0308317°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.030838877656„Instituto Nacional de Estadística y Geografía”„The GeoNames geographical database”Мексичка насељапроширитиуу

          Image
          Насеља у општини Чилапа де Алварез (Гереро) шп.МексикуГерероопштиниЧилапа де Алварезнадморској висини2010 (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003Eсакријu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="sr" dir="ltr"u003Eu003Cdiv class="noticebanner"u003Eu003Cdiv class="plainlinks" style="background-image: -moz-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -o-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -webkit-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: linear-gradient(to bottom, #fefefe, #fefefe, #f0f0f0);; -moz-border-radius: 10px; -webkit-border-rad
          Read more

          Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time? The 2019 Stack Overflow Developer Survey Results Are InHow is the altitude of a satellite defined, given that the Earth is not spherical?Why do satellites appear to move faster when overhead and slower closer to the horizon?For the mathematical relationship between J2 (km^5/s^2) and dimensionless J2 - which one is derived from the other?Why is Nodal precession affected by the rotational period of the planet?Why is it so difficult to predict the exact reentry location and time of a very low earth orbit object?Why are low earth orbit satellites not visible from the same place all the time?Perifocal coordinates and the orbit equationHow feasible is the Moonspike mission?What was the typical perigee after a shuttle de-orbit burn?I am having trouble calculating my classic orbital elements and am at a loss on where to lookAm I supposed to modify the gravitational constant with scale and why do fps & time scale changes cause my orbit to break?How Local time of a sun synchronous orbit is related to Right ascension of ascending node?What is wrong with my orbit sim equations? How can I fix them?How to obtain the initial positions and velocities of an inclined orbit?

          Image
          Why is this recursive code so slow? Button changing its text & action. Good or terrible? What do I do when my TA workload is more than expected? What is the most efficient way to store a numeric range? Why are there uneven bright areas in this photo of black hole? Why can't wing-mounted spoilers be used to steepen approaches? What aspect of planet earth must be changed to prevent the industrial revolution? Deal with toxic manager when you can't quit Single author papers against my advisor's will? Did any laptop computers have a built-in 5 1/4 inch floppy drive? How can I add encounters in the Lost Mine of Phandelver campaign without giving PCs too much XP? How many cones with angle theta can I pack into the unit sphere? Why did Peik say, "I'm not an animal"? How do I free up internal storage if I don't have any apps downloaded? How to read αἱμύλιος or when to aspirate Question on an engine pulling a train Why can't d
          Read more