[BlueOnyx:07476] Re: Network Solutions 2048 SSL

[Michael Stauber]

Hi Mark,

> I'm trying to renew an SSL cert and I'm getting "The CSR uses an
> unsupported key size." BO is fully YUM updated. Why is this still
> happening? I'm using Network Solutions for the cert.

The problem here is that you still have the old (1024bit) certificate key and 
key request in your sites "certs" directory.

So when you simply generate a new request, it uses the old 1024 bit key to 
generate the new request. Otherwise the certificate authority couldn't do a 
reissue.

To be able to create a 2048bit CSR, you need to remove the old key and have to 
start over.

Say your site is named "www.domain.com". So you login to your server as 
"admin" and "su -" to gain "root" access.

Your "certs" directory for that site is here:

/home/sites/www.domain.com/certs/

Make a copy of it:

cd /home/sites/www.domain.com/
cp -R certs certs.1024b

Then delete the "certs" directory and recreate an empty one:

rm -R certs
mkdir certs

Then recreate your CSR through the GUI and for the time being also create a 
self signed certificate that you use until you get the real certificate.

IF you temporarily want to go back to the old 1024bit certificate, then things 
get a little complicated:

You NEED the stuff in the "certs" directory that you now have for the 
certificate that you're waiting on. So you do not want to loose it.

Hence you make another copy of that directory:

cp -R certs certs.2048b

Then you copy the old certs directory back:

cp -R certs.1024b certs

Then restart Apache:

/etc/init.d/httpd restart

Once you get the new (real) SSL certificate issued, you have to (again) juggle 
the directories around:

cp -R certs.2048b certs

Then you can install the new certificate through the GUI.

-- 
With best regards

Michael Stauber