How to renew expiring SSL Certificate

View some of the Frequently Asked Questions to our support staff. Included are some tips and tricks making this forum ideal for users getting started with GoAnywhere MFT. Note: Users can reply to existing topics but only our support staff can add new topics to this forum.
1 post Page 1 of 1

Support_Julie

User avatar
Support Specialist
Posts: 91
Joined: Thu Mar 05, 2009 3:49 pm
Location: Ashland, NE USA

Post by Support_Julie » Thu Oct 11, 2018 12:18 pm
Question:
What should I do when the SSL Certificate used by GoAnywhere for our HTTPS Service is expiring?

Answer:
It is not necessary to create a new SSL Certificate/Key pair. You can re-certify it.

First, identify what SSL Certificate/Key pair is used.
1. To manage the HTTPS Service, log in as an Admin User with the Product Administrator role.
2. From the main menu bar, select Services and then click the Service Manager link.
3. Click the Action icon next to the HTTPS Service, and then click the Edit icon.
4. Click on the Server icon.
5. Click on the Listener.
6. Then click on the SSL tab.
7. The key alias identifies a key pair and its associated certificate from all the ones within a Key Store.

Now, open the Key Store where the key is stored.
If using File Based Certificate, From the main menu, select Encryption > File Based Keys, and then click the Certificates link.
If using the Key Management System, From the main menu, select Encryption > Key Management System >click on the System, the Key Vault used for storing the Private Keys/Certificates used > Click the Action icon next to System and then click on Manage Certificates.


Generate CSR (Certificate Signing Request)
1. Log in as an Admin User with the Key Manager role to manage certificates in a Domain's Key Vault. To manage certificates in the System Key Vault, log in as an Admin User with the Product Administrator and Key Manager roles.
2. From the main menu, select Encryption, and then click the Key Management System link.
3. Click the Action icon next to the desired Key Vault and select Manage Certificates.
4. From the Certificate Manager page, select the Action icon for the certificate and then click the Generate CSR button. If no certificates exist, create an SSL certificate. The file will be downloaded to the default download directory on your PC. The file name is constructed by the system using the certificate's name with a .csr extension.
5. Send this file to a certificate authority (CA) for signing.
The Certificate Authority (CA) will review your CSR and return a reply. The reply will contain the digital signature of the CA. This reply can be imported using the Import CA Reply function.

Import CA Reply
This function allows you to import a reply (signed certificate) from a Certificate Authority (CA). This reply is in response to a CSR (Certificate Signing Request) that you generated earlier. If the CSR was approved, the reply will contain the digital certificate of the CA.
Follow the instructions below to import a CA reply:
1. Log in as an Admin User with the Key Manager role to manage certificates in a Domain's Key Vault. To manage certificates in the System Key Vault, log in as an Admin User with the Product Administrator and Key Manager roles.
2. From the main menu, select Encryption, and then click the Key Management System link.
3. Click the Action icon next to the desired Key Vault and select Manage Certificates.
4. In the Certificate Manager page, select the Action icon for the certificate and select Import CA Reply.
5. On the Import CA Reply page, click to select the location where the CA Reply file is located.
6. In the Input File box, type the location for the file or click the Browse button to browse for the file.
7. If the certificate password is not stored in the Key Vault, it must be supplied in order to import the certificate.
8. Click the Import button to import the reply.

NOTE:
If you do not have the current signing authority root and intermediate certificates are not available, you will receive a "PKIX" error. Download the root and intermediate certificate from the Signing authority. Import them into your Key Store (in that order)

NOTE:
If the reply contains an approval from the CA, then your certificate will be signed with the digital signature of the CA. You can verify this signature by viewing the details for your certificate (click the View icon next to the certificate).


What to do if you need to create a new Certificate/Key pair?
1. Create a new Certificate/Key pair in the same location that your current Certificate/Key pair referenced by GoAnywhere is located. Specify the “Alias” name the same as the current alias with the word “New”. For example, the current alias is “YourCompany”. Specify the new Key alias as “YourCompany New”.
2. Generate the CSR, send to a signing authority and import the CA Reply.
3. Rename the current Key Alias (or KMS Certificate/Key name) to old. For example: “YourComany Old”.
4. Rename the new Key Alias (or KMS Certificate/Key name) to current name. For example: “YourCompany”.

Restart the HTTPS service
1. From the Service Manager, select the Action icon.
2. Restart a service by clicking on the Restart icon. Any active sessions will be terminated for the service.
3. Once the service has been restarted, you should see the Certificate when you view the certificate from the browser while accessing the HTTPS web client.
Julie Rosenbaum
Sr Support Analyst
e. goanywhere.support@helpsystems.com
p. 1.800.949.4696
w. HelpSystems.com
1 post Page 1 of 1