3

We have a server whose original PKI certificate was issued by a discontinued root CA. We have a replacement certificate issued from a different root authority chain. This site was set up some time ago with Strict-Transport-Security established.

The server key is 4096 bits. The old CA root private key is 1024 bits (it was issued in 2006).

How does one switch PKI keys and certificates for Strict-Transport-Security enabled sites? I have searched for information on this but have so far come up empty.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
James B. Byrne
  • 337
  • 1
  • 4
  • 14

1 Answers1

6

HTTP Strict Transport Security also known as HSTS do not limit use with any other valid certificate.

Are you sure you dont mean HTTP Public Key Pinning (HPKP)

Edit: Just for clarification for HSTS the cert have to be trusted to be counted as valid.

Aroly7
  • 474
  • 2
  • 7
  • Yes. I believe that you are correct. I missed the distinction. I will research that instead. – James B. Byrne Apr 10 '19 at 13:48
  • HPKP support was removed from several user agents, but its highly likely your users are still using affected versions. You will have problems until your last header expires from max-age. – John Mahowald Apr 10 '19 at 13:57
  • The resolution to that would be to add new header to expire after current last header expires. – Aroly7 Apr 10 '19 at 13:59
  • To clarify our situation. We do not, and never have, used HPKP. I verified that personally. The issue with the certificates was simply that they had expired. The correct solution was to issue a new certificate signing request (CSR) using the existing server public key which was 4096 bits, have the CSR signed by the new trusted CA, and install that certificate in place of the old one. – James B. Byrne Apr 11 '19 at 16:21
  • If your certificate already expired then yes, To this point, I thought that you are preparing since your certificate soon expire. – Aroly7 Apr 11 '19 at 16:40