Changing SSL certificate - YOUR interaction may be needed!

Current certificate will expire on 28th July, and it's time to replace it. But I was unable to regenerate authentication certificate for StartSSL panel (maybe I“m not skilled enough for it? :-) ). While Let's encrypt still isn't here, I've decided to create my own CA, at least for temporary usage. This means next: on Sunday, 26th July, I'll replace currently installed certificate with generated one. As my CA not in everybody's trusted store, you may need to import it manually.

Plain certificate

loadaverage_ca1.crt
-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgIBAzANBgkqhkiG9w0BAQ0FADCBtDELMAkGA1UEBhMCRVUx
EjAQBgNVBAgTCUludGVyd2ViejESMBAGA1UEBxMJSW50ZXJ3ZWJ6MRgwFgYDVQQK
Ew9Mb2FkQXZlcmFnZS5vcmcxHjAcBgNVBAsTFUxvYWRBdmVyYWdlIENvbW11bml0
eTEbMBkGA1UEAxMSY2EubG9hZGF2ZXJhZ2Uub3JnMSYwJAYJKoZIhvcNAQkBFhdz
dXBwb3J0QGxvYWRhdmVyYWdlLm9yZzAeFw0xNTA3MjQxNjM4MDBaFw0yNTA3MjQx
NjM4MDBaMIG0MQswCQYDVQQGEwJFVTESMBAGA1UECBMJSW50ZXJuZXR6MRIwEAYD
VQQHEwlJbnRlcm5ldHoxGDAWBgNVBAoTD0xvYWRBdmVyYWdlLm9yZzEeMBwGA1UE
CxMVTG9hZEF2ZXJhZ2UgQ29tbXVuaXR5MRswGQYDVQQDExJjYS5sb2FkYXZlcmFn
ZS5vcmcxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9hZGF2ZXJhZ2Uub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtDWKqC/73E3ctacentomL43T
aOVjKH6Y1ef2axpyo4T/Iq+w017zT7QemLooCwUbBWpDNTSdb4WYsetkAE0kqX2p
YU6hNQ0tK7j8fSQt3ewyaZ1ybTI5qUqQkVF/7K93PzcOxmCj+HxnUn6fz0PYB/al
SGZZn0Q/1exDwTbhMILzYRZG7/2Pk7QO2hONAAqaZGseOUURMlwWtpjT+Vd0uDDg
6dkshFfgaFPIRfPOghM/dHWQRFHB8ndX7wr2uQwrq0ddRu2ibn5XsHTDB6Xzi2lA
0gDddAzisML2x8vq6peGJBwSq1rIJ1pJIyZJgPx+ateOy8JEI3noAOezfawIV6ib
q+54XkeV4HKM1wQibs4rhK37O5j6+G6fOPHt6jPurrqCumA//7llvTCRJ83yFb+I
rKwaI1FCxcxooqg8/2S+ks8Opi5+gXTJDaUEfUY3VAJtlkr4oUhLb8yFZQA8g/9A
+lYZAM8Io3By7/kR1tCkwI8bwe4bn08OC42AIYdrHADBbLu3LvNkLl7JY0wNUKE2
G17vkb4o4g4cRyGQC4JCsVe9z1Es74zQ6QZOyBHwZ3dXIAH0g284ZuBRmvSXbbkh
/R8grDktNXvboeBbf9zbqDBPFFlmBwaNnl65G0B4A4Rawl2QfH/MOQKZyfwZIPUq
df5IGw/BGKBnur5IyNcCAwEAAaOBiDCBhTAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBQ6qkX6Bck92Q5GmZBoArHkLZ8VfjALBgNVHQ8EBAMCAQYwMwYDVR0fBCww
KjAooCagJIYiaHR0cDovL2NhLmxvYWRhdmVyYWdlLm9yZy9DTFIubGlzdDARBglg
hkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQENBQADggIBAKf8EtWiuz3ZBQf6hQG3
PAY5y+I8nCEg62V/r5pA9rApf5wDo7aFeU6sfj2EDpaAdhA4aLah76iCh+dT6n4D
Cv1u3+90z489pSsBgr262yUNpoC2sPSEIHaf5NHlyPpH0PhgvHdIj4VNiw+MpPCh
fuguoG8bNsB7lzxpd2bAgY98etP9ZWx0N+yjs45Zr6AUk72oroLONo+cbBD+biY3
kR8Xlpg0O5u7/fszr+WyPElvLHqsLxCEYswoTLs5n4KdoOGVm2LAgtFlFyjjZBL6
aDPRqssHcnhX0Vub0Vdy9Blt3l8+tiK1AmJgnzxdowOKTps6bW+x+Z5Wb2Zx4+dc
2DU8GxSREBH+4i2R3/KtwkHBi9X/VL7oQ0WCtCczQYmnbgV/nIjTL1wurgGlZB2B
KyDlr1sQbn7APV/PC7rBZconT/86pVtWDVKAqZ8BW3A4oYvBh3/DG1ICsaoZ0vxR
QRC98+WEEHagxR8I9qxq+8awU458RIalijWQ3HJAp6Wsw4ktmUlRU7CluD2/NCOg
l/3djCpSizcXo2cHFyDAENlLKEqY5Jam+xlllxjldn7Lg8hstqPO87ZhihfbhBha
CnEfkeIAxfa841wTpqD2m3aucUl0Udkszcw8IaDKqUd3COLw7E3CxOIB2ILWRu7+
pIlnUFvw5PBe7iimQskYJHEX
-----END CERTIFICATE-----

Signed certificate

Signed certificate is also available: loadaverage_ca_1.crt.gpg

Key ID: 083FD824 (pztrn at pztrn dot name)

How to import

Import to browser's store

This way makes your browser and only browser trust all certificates signed by my CA.

This operation should be done for every web browser you use, because most of them (like Firefox or Chromium) use own certificates store.

Download this file and import it to browser's trust store.

For Firefox: Settings - Advanced - Certificates - View Certificates - Certificate Authorities - Import, and select downloaded file.

Import to OS certificates store

This way will make all your programs to trust all certificates signed by my CA, except browsers!

Execute these commands as root:

wget https://wiki.loadaverage.org/_export/code/news/changing_ssl_certificate_your_interaction_may_be_needed?codeblock=0 -O /etc/ssl/certs/loadaverave_ca1.pem
cd /etc/ssl/certs
ln -s loadaverave_ca1.pem `openssl x509 -hash -noout -in loadaverave_ca1.pem`.0
update-ca-certificates

...or do not import, and accept

Every browser have an ability to “accept” self-signed certificate or certificate issued by unknown CA. Just accept it, and everything will be alright.

How to verify that everything is okay?

Compare your results with these screenshots (careful, they're in Russian) (click for bigger image):

When next changes happen?

Next changing in certificates should be right after Let's encrypt will be available for general usage.



Log In