The problem is on the UNIX or Linux side because the error message has a U in the 5th position indicating where the error originated. Run listca, listclient and listserver on Linux or UNIX to verify which one of these certificates has expired. It is possible for one of more of the certificates to be fine and the other(s) expired.
If one of the certificates is expired, all the certificates on that machine must be regenerated.
The overview of the steps to do that are:
- Backup the current root certificate and key
- Delete the current certificates
- Set the parameters for the new expiration date
- Run makeca
- Restore the original casslkey.pem and cassl.pem files
- Run makeclient, makeserver
Backup the current root certificate and key
These are the private/casslkey.pem and certs/cassl.pem files. You must save these because these files must match on both partners (and on all the partners sending SSL files to one another).
Delete the current certificates
Before you regenerate the certificates, you must delete the existing certificates.
** Be very careful with this **
Manually delete the CERTS & PRIVATE subdirectories that are in the SSL subdirectory under your XCOM install directory.
You also need to delete the following files:
all index.* files in the SSL subdirectory
all serial.* files in the SSL subdirectory
the random.pem file in the SSL subdirectory
Set the parameters for the new expiration date
To do this, you specify how long, in days, the certificate will be valid.
For example, to extend the certificates for 1 year, do the following. (You may also choose any other time period you want, for example, 2 years, 10 years.)
Edit the parameter "default_days=" in the [CA-XCOM] section of the cassl.conf file and set to 365. Save the cassl.conf file.
Modify makeca.bat also to add -day 365 at the end of the OPENSSL command:
Openssl req x509 newkey rsa out ./certs/cassl.pem outform PEM -days 365
Create the Certificate Authority certificate.
Restore the original root certificate and key
Copy the saved casslkey.pem to the private directory and the cassl.pem file to the certs directory. This will overlay the dummy casslkey.pem and cassl.pem files that makeca just created.
Run makeclient, makeserver
Run the makeclient and makeserver scripts again to regenerate the certificates with the new expiration date