What is the graceful way of handling certificate expiry in OpenAS2.
I have a partner who's certificate is going to expire. I suppose he's going to send me a new one. But I can't install the new one untill he stops using the old one, right?
Or is there some way of installing the old one and the new one simultaneously?
Also, what do I do when my certificate expires? How do I replace it in the pkcs12 store?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
just delete the old certificate (with "cert delete <alias>" and import the new one… keep in mind that normally in enterprise scenarios changes are agreed on.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, this is what I did (it's a bit harder than that if it's your certicate that expired).
But frankly it's a crap way of working - if you have 100 partners you've got to get all 100 of them synchronised exactly for the change, If they're all sending messages every minute or so they you are going to have problems.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@hughesj: I agree completely. Need a way to add new cert and identify date/time when it should automatically go active.
I'm currently in a pickle. Client certs expired and issued new ones to use. I've tried doing the cert import and now it's completely broken. We are dead in the water.
Any one out there consider themselves an expert? Will be happy to pay for step necessary to get this thing going again.
TIA
Piko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am new to OpenAS2 - still evaluating if we should use it. Here is how to manage the AS2 Keystore Type : PKCS#12. Download a tool name Portecle from https://sourceforge.net/projects/portecle/. This tool will help you manage all types of keystores. Portecle helps you delete old certificate and import a new certificate as well as look at every item in a keystore.
Hope this helps… feel free to post a question … I am debuging the source code for this project in eclipse to see if we want to use this versus mendelson stuff. This should help you… David.
PS: do you folks use https to communicate with partners ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Don't need a fancy tool to manage the PKCS12 keystore used by openAS2 - it's easy enough to handle (*) with openssl and the built in command processor. (In fact it is possible to program automatic key replacement using the SSL command interface (**)).
(*) except for the special case of changing your own certificate/private key which I have done by converting the pkcs12 store to PEM format, editing it then converting it back to pkcs12.
(**) The trick is that you need to connect to OpenAS2's command port using the cipher ADH-RC4-MD5.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What is the graceful way of handling certificate expiry in OpenAS2.
I have a partner who's certificate is going to expire. I suppose he's going to send me a new one. But I can't install the new one untill he stops using the old one, right?
Or is there some way of installing the old one and the new one simultaneously?
Also, what do I do when my certificate expires? How do I replace it in the pkcs12 store?
I'm new to AS2 - don't have to worry about this for a year but I am interested in how other organisations handle this sort of thing.
Thanks
Hello,
just delete the old certificate (with "cert delete <alias>" and import the new one… keep in mind that normally in enterprise scenarios changes are agreed on.
Yes, this is what I did (it's a bit harder than that if it's your certicate that expired).
But frankly it's a crap way of working - if you have 100 partners you've got to get all 100 of them synchronised exactly for the change, If they're all sending messages every minute or so they you are going to have problems.
@hughesj: I agree completely. Need a way to add new cert and identify date/time when it should automatically go active.
I'm currently in a pickle. Client certs expired and issued new ones to use. I've tried doing the cert import and now it's completely broken. We are dead in the water.
Any one out there consider themselves an expert? Will be happy to pay for step necessary to get this thing going again.
TIA
Piko
I am new to OpenAS2 - still evaluating if we should use it. Here is how to manage the AS2 Keystore Type : PKCS#12. Download a tool name Portecle from https://sourceforge.net/projects/portecle/. This tool will help you manage all types of keystores. Portecle helps you delete old certificate and import a new certificate as well as look at every item in a keystore.
Hope this helps… feel free to post a question … I am debuging the source code for this project in eclipse to see if we want to use this versus mendelson stuff. This should help you… David.
PS: do you folks use https to communicate with partners ?
@dmarcillo82
Don't need a fancy tool to manage the PKCS12 keystore used by openAS2 - it's easy enough to handle (*) with openssl and the built in command processor. (In fact it is possible to program automatic key replacement using the SSL command interface (**)).
(*) except for the special case of changing your own certificate/private key which I have done by converting the pkcs12 store to PEM format, editing it then converting it back to pkcs12.
(**) The trick is that you need to connect to OpenAS2's command port using the cipher ADH-RC4-MD5.