Jump to content


Photo

Can someone update the "Renewing or upgrading an SSL certificate" post please?


  • Please log in to reply
1 reply to this topic

#1 Bram Mertens

Bram Mertens
  • Members
  • 1 posts

Posted 12 September 2019 - 09:32 AM

Hi,

 

I ran into an error when trying to renew an external SSL certificate on our CloudGen Firewall.

 

Renewing the certificate itself seems to work fine but updating the private key throws an error: error:0906D06C: PEM routines: PEM_read_bio:no start line.

 

I found a port by Gavin Chappel titled "Renewing or upgrading an SSL certificate" which seemed promising but appears to be outdated.

If there are other gotcha's in the renewal process using the Firewall Admin tool please update the documentation and/or post an update to that post.

 

E.g. does the private key need to be changed to a different format?

The documentation refers to an "External-Signed Private key", what does "signed" mean in this context?

 

Thanks in advance.

 

Bram



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 412 posts
  • LocationNottingham, UK

Posted 12 September 2019 - 09:36 AM

I found a port by Gavin Chappel titled "Renewing or upgrading an SSL certificate" which seemed promising but appears to be outdated.

 

The post you're talking about (and indeed, this entire forum) is for the legacy standalone SSL VPN appliance, not the CloudGen Firewall's integrated SSL VPN; the post you're referring to is still valid for the product it was written for, it just isn't your product :)

 

The private key needs to be in the PEM format (which is also used by Apache and other common webservers); I believe Firewall Admin will allow you to upload an encrypted PEM key as long as you can provide the password at the time you import it, or you can import an unencrypted one.

 

If you're getting an error about "no start line" then I would say this is down to one of two things:

 

1 - you don't have a PEM file, but you have another format (DER is common, which is binary encoded)

2 - you have a certificate and key combined in a single PEM file, and therefore the first line of the file is "----- BEGIN CERTIFICATE -----" and not the expected "-----BEGIN RSA PRIVATE KEY-----" or similar header