Menu Search
Jump to the content X X
Smashing Conf New York

You know, we use ad-blockers as well. We gotta keep those servers running though. Did you know that we publish useful books and run friendly conferences — crafted for pros like yourself? E.g. our upcoming SmashingConf New York, dedicated to smart front-end techniques and design patterns.

How To Issue A New SSL Certificate With An Old SSL Key

There was obviously a lot of confusion about how HTTP Public Key Pinning1 (HPKP) worked. In the middle of the incredibly hectic process of running a major conference, it’s the last kind of issue anybody wants to have to deal with. In today’s article, I’d like to explain how to issue a new certificate that uses the keys of the old expired SSL certificate.

Getting Back To Normal

The truth is that there was no surefire way out of this without some users still seeing issues, but here are the steps I helped Smashing Magazine to take to get back to a normal situation.

Further Reading on SmashingMag:

1. Procure the original private key for the expired certificate

At first, their web host claimed that the copy they had required a password that they were not aware of. Fortunately, you don’t just use the key when generating the certificate. The web server doing the TLS termination also needs a copy of the private key, and on servers the private key is rarely password protected since this requires manually typing the password every time the server is restarted for any reason.

We got the web host to find the old key on the web server and with that key in hand we were ready for the next step.

2. Add the old key to the new public key pinning headers

Running this OpenSSL command generates the Base64 encoded digest of the key that will tell browsers to pin it:

openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

With this digest in hand, I told Smashing Magazine to update their headers to:

Public-Key-Pins: 
pin-sha256="35L+K6PY5ynTu15SYPrT8KXp5TRH8kzP46mYLpv9k30="; 
pin-sha256="8RoC2kEF47SCVwX8Er+UBJ44pDfDZY6Ku5mm9bSXT3o="; 
pin-sha256="78j8kS82YGC1jbX4Qeavl9ps+ZCzb132wCvAY7AxTMw="; 
pin-sha256="GQGOWh/khWzFKzDO9wUVtRkHO7BJjPfzd0UVDhF+LxM="; 
max-age=86400; includeSubDomains

Two changes here — I brought the max-age down to one day instead of a full year. Having a max-age of a year for public key pinning means that losing the private keys used to generate the certificates can permanently shut down your site completely for a year. Bad idea!

The other change was to include the digest for the old certificate. We needed to do this because a group of visitors that had visited the site after the new certificate went live, but didn’t have the old certificate pinned, would now get the same SSL errors if Smashing simply switched certificates again. So we pushed this out and gave them a few hours to make a second visit and get the old digest as well.

3. Generate a new certificate from the old key

The penultimate step was to generate a new certificate from the old key. To generate an SSL certificate you first need a “Certificate Request.” You’ll never want to share your private key with the certificate provider. Instead, you use it to sign a certificate request like this:

openssl req -new -sha256 -key my-key-file.key -out my-certificate-request.csr

During the certificate request generation, you’ll be asked about various questions. The most important is the “Common Name” of the certificate which determines what domain it will be valid for.

Once you have a CSR, you can use it to order a certificate from any provider.

4. Change the certificate

Armed with the new certificate signed with the old key, we could finally put a certificate live that would work again for the vast majority of visitors. Some unlucky souls may have visited while the new certificate with the new key pinning header was live, without coming back while both key pining headers were in place. These will simply be unable to access Smashing Magazine until they clear their key pinning cache or use another browser.

After losing out on thousands of visitors, Smashing Magazine was back online and the people behind it could go back to focusing on a fantastic conference6 in Barcelona.

(vf, ms, il)

Footnotes

  1. 1 https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/
  2. 2 https://www.smashingmagazine.com/2016/02/getting-ready-for-http2/
  3. 3 https://www.smashingmagazine.com/2017/03/world-wide-web-not-wealthy-western-web-part-1/
  4. 4 https://www.smashingmagazine.com/2015/09/https-everywhere-with-nginx-varnish-apache/
  5. 5 https://www.smashingmagazine.com/2016/05/modern-wordpress-server-stack/
  6. 6 https://smashingconf.com/

↑ Back to top Tweet itShare on Facebook

Matt Biilmann has been building developer tools, content management systems and web infrastructure for more than a decade. He is co-founder and CEO of Netlify, the premium static hosting platform. In his spare time he drinks Jazz and listens to Beer, while helping to organize the SF Static Web-Tech Meetup.

  1. 1

    hamza abdullah moh

    October 29, 2016 8:29 am

    this a great idea for people who has shell access on their hosting server.

    1
  2. 2

    does SSL certificate help in boosting google page rank ?
    i have a website
    but its does not have SSL certificate this is my startup company webite a little help would be appreciated.

    -2
  3. 4

    Wow Mathias.i don’t know this before.you save me from buy a new ssl certificate. I have a old ssl certificate of my website.Now i will use that with your following steps.Thanks for sharing this with us

    0
  4. 5

    Thank you for sharing :)

    This is exactly what we needed!
    Great Article.
    Sucess

    0
  5. 6

    Interesting anecdote about the failure and recovery… I’m thinking that putting the max-age at a day pretty much nullifies the HPKP setup. The only MITM attack you will stop is one that occurs within 24 hours of a previous visit by the same victim. I don’t know for your website, but for e.g. a banking website that would be a bit non-sensical, no? Or am I missing something? Regards

    0
  6. 7

    Isn’t a max-age of only 24 hours kind of useless? With such a low value, why even bother having key pinning at all? RFC 7469 suggests, “A value on the order of 60 days (5,184,000 seconds) may be considered a balance between the two competing security concerns.”

    0
    • 8

      Oops, I misspoke on the 60-day recommendation. It seems 60 days is what the RFC is recommending as a maximum max-age (i.e. a hard cap within the browser). So with your original max-age of 1 year, a sensible browser would’ve been ignoring that value and using 60 days instead of 1 year.
      Looks like the RFC does not actually suggest any particular max-age value for website operators to use in their headers. Nevertheless, 24 hours still strikes me as too short to be of much use.

      0

Leave a Comment

You may use simple HTML to add links or lists to your comment. Also, use <pre><code class="language-*">...</code></pre> to mark up code snippets. We support -js, -markup and -css for comments.

↑ Back to top