Irtsgbr

Can a flute soloist sit?

What tool would a Roman-age civilization have for the breaking of silver and other metals into dust?

How to deal with fear of taking dependencies

How to type this arrow in math mode?

Multiply Two Integer Polynomials

Why do UK politicians seemingly ignore opinion polls on Brexit?

Return to UK after being refused entry years previously

Is an up-to-date browser secure on an out-of-date OS?

Should I use my personal e-mail address, or my workplace one, when registering to external websites for work purposes?

If a Druid sees an animal’s corpse, can they wild shape into that animal?

Are spiders unable to hurt humans, especially very small spiders?

Why is the maximum length of OpenWrt’s root password 8 characters?

Have you ever entered Singapore using a different passport or name?

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

Where to refill my bottle in India?

"as much details as you can remember"

Why didn't the Event Horizon Telescope team mention Sagittarius A*?

What is the meaning of Triage in Cybersec world?

What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?

What is the accessibility of a package's `Private` context variables?

Is flight data recorder erased after every flight?

Earliest use of the term "Galois extension"?

How can I autofill dates in Excel excluding Sunday?

When should I buy a clipper card after flying to OAK?

How does one change the certificate and key for a web service with Strict-Transport-Security established

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

4

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

add a comment | 

4

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

add a comment | 

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

1 Answer
1

active

oldest

votes

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  12 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-a-web-service-with-strict-transp%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  12 hours ago
  

  
  
  
  

add a comment | 

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  12 hours ago
  

  
  
  
  

add a comment | 

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

answered 13 hours ago

Aroly7Aroly7

1444

answered 13 hours ago

Aroly7Aroly7

1444