Tranquil IT Forum

Hello,

my SSL certificate on my WAPT server is about to expire.
Due to a change of provider, the new certificate I obtained is not from the same certificate authority as the first one (generated two years ago).

How can I deploy this new certificate on my server without losing contact with my WAPT clients?

Currently, I'm verifying the server certificate using a certificate bundle containing the CAs from the old provider...

Thank you for your help.

Too bad, no response.
So I'll answer myself (it might be useful to someone else).

My plan:

I'm going to try deploying a package that disables pinning (verify_cert = 1) on the clients.
Since the certificates aren't self-signed, I'll keep valid SSL encryption.

Once this change is propagated to all clients, I'll change the certificates of my new CA on my WAPT server and verify that everything is still communicating correctly.

Regards,

The procedure worked correctly; luckily I had a week or two to deploy the new configuration to the clients, otherwise, with certificate pinning and the CA change, a loss of connection with all clients would have been guaranteed.


Pay attention to the certificate bundle in nginx :
The public certificate bundle (/opt/wapt/waptserver/ssl/cert.pem) must include, in order, the server certificate first, then the intermediate certificates, and finally the root certificate. They were provided in reverse order by my provider (GEANT).

My personal conclusion: no pinning if you are using valid (non-self-signed) certificates.