Is it possible to replace certificates only on the client-side / server-side without affecting the other party?

Dominique Sacre · 2014-09-05T15:31:00+00:00

Summary This article clarifies the implication of replacing client- or server-side certificates. Environment Orbix 6.3 All Supported Operating Systems Question/Problem Description Is it possible to replace certificates only on the client-side / server-side without affecting the other party? Certificates need to be replaced on the server side, do the client-side certificates require to be replaced as well? Clarifying Information In a secured environment with mutual authentication between the client and the server, these use certificates to secure the communication. During the SSL handshake these certificates are exchanged and verified between the parties in order to establish a secure connection. Error Message Defect/Enhancement Number Cause Resolution It is possible to replace the certificates only on the client-side or on the server-side without affecting the other party and the establishment of a secure connection. However, ensure the details of the certificates is the same (e.g. the Common Name) in case the other party is explicitly configuring certificates constraints. Also ensure the certificates are generated by the same CA which generated the previous certificates, this ensures the other party is still trusting the CA. In case of self-signed certificates, ensure you are also using the same private CA used to create the previous certificates also for the new certificates. If a new private CA is created (even if it is created with the same details as the previous one) it will be different from the previous one and it will not be trusted by the other party unless configured as a trusted CA. For further details on managing and deploying certificates, please see the "Orbix Security Guide" available at: http://supportline.microfocus.com/productdoc.aspx Workaround Notes Attachment #Orbix#KnowledgeDocs

Summary	This article clarifies the implication of replacing client- or server-side certificates.
Environment	Orbix 6.3 All Supported Operating Systems
Question/Problem Description	Is it possible to replace certificates only on the client-side / server-side without affecting the other party? Certificates need to be replaced on the server side, do the client-side certificates require to be replaced as well?
Clarifying Information	In a secured environment with mutual authentication between the client and the server, these use certificates to secure the communication. During the SSL handshake these certificates are exchanged and verified between the parties in order to establish a secure connection.
Error Message
Defect/Enhancement Number
Cause
Resolution	It is possible to replace the certificates only on the client-side or on the server-side without affecting the other party and the establishment of a secure connection. However, ensure the details of the certificates is the same (e.g. the Common Name) in case the other party is explicitly configuring certificates constraints. Also ensure the certificates are generated by the same CA which generated the previous certificates, this ensures the other party is still trusting the CA. In case of self-signed certificates, ensure you are also using the same private CA used to create the previous certificates also for the new certificates. If a new private CA is created (even if it is created with the same details as the previous one) it will be different from the previous one and it will not be trusted by the other party unless configured as a trusted CA. For further details on managing and deploying certificates, please see the "Orbix Security Guide" available at: http://supportline.microfocus.com/productdoc.aspx
Workaround
Notes
Attachment

#Orbix
#KnowledgeDocs

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded