Skip navigation

I thought I had really dug a hole today.  

When attempting to renew my SSL cert for our domain, the Server Admin kept giving me errors when I tried to add a signed certificate.  My erroroneous steps to install the renewed certificate were as follows:

  1. Take SSL off for the domain 
  2. Remove the certificate from the system
  3. add a self-signed certificate for the domain
  4. add a signed certificate from the CA

Upon doing so, I attempted to use the certificate sent to me by my CA, supposedly gotten with the original certificate request.  However, Server Admin was doing some strange things.  Upon the 1st attempt to load the signed certificate into the newly created self-signed certificate, it would throw this error (not an exact quote):

Cannot update the file….returning to the list

When it returned to the list, my self-signed certificate was gone.  However, if I opened up Keychain Access, it showed the CA’s certificate as being loaded. If I attempted to do it again, the following error would show up in the server log:

SecCertificateAddToKeychain (err = -25299)

I really couldn’t find jack about how to fix that other than this, which just told me what it meant — I already had a passkey for the cert I was trying to load.

So, after banging my head against my desk, I decided to go to my CA’s website and request a reissued cert.  I knew that I had to put in a new CSR in order to get a reissue so I thought that maybe that would help.  In fact, it did. However, I had to go into terminal and remove all the rements of the old certificates from /etc/certificates and /etc/httpd/ssl.crt.  I believe that also using a combination of the Keychain Access and Server Admin apps may allow you to remove any traces as well.  Don’t forget to remove the certificates, the .crt files and the .key files.

So, for future reference, whenever an signed ssl cert needs to be renewed, make sure you paste in a CSR during the renewal process, and use the associated signed certificate from the CA!  

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: