Architecting, installing and maintaining your SAS environment

Renew TLS server certificate for webserver

Reply
Regular Contributor
Posts: 205

Renew TLS server certificate for webserver

Hi team,

 

Due to an update in Chrome, we had to regenerate one of our SAS web server certificate files.

 

Since the corporate CA certificate nor the server private key changed, am I correct by saying that I can only replace the .crt file in <config_dir>/Lev1/Web/WebServer/ssl and restart the mid tier ?

 

Thanks,

 

Trusted Advisor
Posts: 1,326

Re: Renew TLS server certificate for webserver

Hello,

Actually, no, that's not enough.
You need to ensure the certificate chain is replaced/updated on the web server (if you have set up the certificate chain file), and you need to re-import in order every certificate from the chain in every machine where the privatejre from SAS is installed (servers and clients).


Regular Contributor
Posts: 205

Re: Renew TLS server certificate for webserver

Posted in reply to JuanS_OCS

Thanks @JuanS_OCS

 

Please bear with me, I'm on crypto 101 here.....

 

If the none of the CA details have changed, why would that affect the chain ?

Trusted Advisor
Posts: 1,326

Re: Renew TLS server certificate for webserver

Good question.

Actually, one detail changes right? Expiration date or whatsoever. The thing is that you need to change the CA with some (minor) detail changes what I expect will change, in the end, the pem certificate content. If client-server certificate has any difference, ssl won't validate the connection.

So, what you can do once you regenerate the new ca, is to compare contents of the file. If they are the same, you won't need to ensure anything , but if a single character changes, I would refer you to my previous advise.
Regular Contributor
Posts: 205

Re: Renew TLS server certificate for webserver

Posted in reply to JuanS_OCS

Thanks @JuanS_OCS, makes sense. We'll probably only do this on Thu, but I will report back.

 

Thanks for the help.

Regular Contributor
Posts: 205

Re: Renew TLS server certificate for webserver

Ok, so I made the change yesterday. I only replaced the server's certificate, since that is the only component that changed. No CA changes were made. The change was succesful and the mid-tier came up ok.

 

Both IE and Chrome are now connecting ok.

 

Thanks for all the inputs @JuanS_OCS

Ask a Question
Discussion stats
  • 5 replies
  • 312 views
  • 0 likes
  • 2 in conversation