Replace SSL certificates used by CA XCOM that will expire

Document ID : KB000012771
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Our CA XCOM transfers use SSL certificates to perform secured transfers. The SSL certificates are about to expire and we would like to know how to create new SSL certificates.

Question:

The SSL certificates being used by CA XCOM are about to expire. How do I create new certificates?

Environment:
XCOM r11.6 for WindowsXCOM r11.6 for Linux or UNIX
Answer:

The first thing you need to verify is from where or how the SSL certificates being used were created originally. The certificates could have been created using the CA XCOM supplied sample scripts or they could have been obtained by a third party vendor or your security team.

The following answer or steps described are specifically for when the SSL certificates were created using the CA XCOM supplied sample scripts only. If the certificates were obtained by other means, then you need to address this with your Security Administrator.

Here are the instructions:

NOTE: Please READ carefully before proceeding. Keep in mind that the scripts and certificates are samples and for testing purposes. It is always suggested that you work with your Security Admin to see if these are acceptable for your site. It is your responsibility to maintain and document your procedures for the future.

- If you already have created SSL certificates using the XCOM supplied sample scripts then you will need to do the following:

***  MAKE a backup of the directory containing your current SSL certificates. ****  

1. You need to remove the following files from the %XCOM_HOME%\ssl directory:

Note: if your current cassl.pem and casslkey.pem files have not expired, you can copy them from the certs and private directory to another safe directory for use again. Those are the CA authority certificate and key, which you can continue to use if you so desire. If you decide not to use them, then remove and create a new certificate.

         - all index.* files

         - the random.pem file

         - all serial.* and serial files

         - the certs and private directory

2. You need to review the values you have set in your configssl.cnf  to make sure they are correct. Also review the cassl.conf, clientssl.conf and serverssl.conf files that are located in your %XCOM_HOME%\ssl directory.

3. You will need to modify the makeca.bat script as we document in our XCOM Admin guide, chapter Generating SSL certificates, so that you can set a new expiration date. Make sure to backup the script before making any changes.

4. You need to review the value for "default_days" in the cassl.conf file. The value specified there will set the expiration date for the client and server certificates. As you can see it is set for 365 days. You can modify that value.

5. Once you have done all of the above you can now run the "makeca.bat" script to generate the new CA authority certificate.

6. **** Now if you intend to use your current CA authority certificates you want to do the following:

          -  go to the certs and private directory that were just created and remove the new cassl.pem and casslkey.pem files

          -  copy your existing cassl.pem and casslkey.pem to the appropriate certs and private directory

          -  go to step 7

    **** If you don't intend to use your existing CA authority certificates, then proceed to step 7

7. Run makeclient.bat and makeserver.bat scripts. They will create the new client and server certificates with new expiration date.

8. Run the listca.bat, listclient.bat, and listserver.bat to verify the dates of the certificates.

9. Perform a loopback transfer using the new SSL certificates to make sure all works.

If you have multiple CA XCOM remote partners that transfer files between themselves, then you must make sure that all of them have the correct SSL certificates to accomplish those transfers. Please contact your Security Administrator for details on how to handle the setup of SSL accross your systems.