Rrerku

Can someone be penalized for an "unlawful" act if no penalty is specified?

Why not take a picture of a closer black hole?

For what reasons would an animal species NOT cross a *horizontal* land bridge?

Protecting Dualbooting Windows from dangerous code (like rm -rf)

When should I buy a clipper card after flying to OAK?

Aging parents with no investments

What is the most effective way of iterating a std::vector and why?

Is this app Icon Browser Safe/Legit?

Write faster on AT24C32

What is the accessibility of a package's `Private` context variables?

Earliest use of the term "Galois extension"?

How technical should a Scrum Master be to effectively remove impediments?

How are circuits which use complex ICs normally simulated?

Why do UK politicians seemingly ignore opinion polls on Brexit?

How to save as into a customized destination on macOS?

Is a "Democratic" Oligarchy-Style System Possible?

Is "plugging out" electronic devices an American expression?

Why is the maximum length of OpenWrt’s root password 8 characters?

Pokemon Turn Based battle (Python)

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

What do hard-Brexiteers want with respect to the Irish border?

Where to refill my bottle in India?

Lightning Grid - Columns and Rows?

How to deal with fear of taking dependencies

How does one change the certificate and key for a web service with Strict-Transport-Security established

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

4

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

add a comment | 

4

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

add a comment | 

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. However, this site was set up some time ago with Strict-Transport-Security established. This is preventing our users from accessing the site.

Using the existing key and issuing a new CSR is one possibility but the existing key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

apache-2.4 ssl-certificate

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

share|improve this question

edited 13 hours ago

James B. Byrne

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

asked 13 hours ago

James B. ByrneJames B. Byrne

1746

1 Answer
1

active

oldest

votes

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962425%2fhow-does-one-change-the-certificate-and-key-for-a-web-service-with-strict-transp%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes. I believe that you are correct. I missed the distinction. I will research that instead.
  
  – James B. Byrne
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age.
  
  – John Mahowald
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The resolution to that would be to add new header to expire after current last header expires.
  
  – Aroly7
  13 hours ago
  

  
  
  
  

add a comment | 

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

share|improve this answer

edited 12 hours ago

answered 13 hours ago

Aroly7Aroly7

1444

answered 13 hours ago

Aroly7Aroly7

1444

answered 13 hours ago

Aroly7Aroly7

1444