From d0915051d1987a38aaca67a81890231c1848483b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Richard=20K=C3=B6rber?= Date: Thu, 10 Mar 2016 01:40:16 +0100 Subject: [PATCH] Document certificate renewal --- src/site/markdown/usage/certificate.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/site/markdown/usage/certificate.md b/src/site/markdown/usage/certificate.md index 59da3f41..55bbc3bc 100644 --- a/src/site/markdown/usage/certificate.md +++ b/src/site/markdown/usage/certificate.md @@ -6,7 +6,7 @@ Once you completed all the previous steps, it's time to request the signed certi To do so, prepare a PKCS#10 CSR file. A single domain may be set as _Common Name_. Multiple domains must be provided as _Subject Alternative Name_. Other properties (_Organization_, _Organization Unit_ etc.) depend on the CA. Some may require these properties to be set, while others may ignore them when generating the certificate. -CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is also a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair. +CSR files can be generated with command line tools like `openssl`. Unfortunately the standard Java does not offer classes for that, so you'd have to resort to [Bouncy Castle](http://www.bouncycastle.org/java.html) if you want to create a CSR programmatically. In the `acme4j-utils` module, there is a [`CSRBuilder`](../apidocs/org/shredzone/acme4j/util/CSRBuilder.html) for your convenience. You can also use [`KeyPairUtils`](../apidocs/org/shredzone/acme4j/util/KeyPairUtils.html) for generating the domain key pair. Do not just use your account key pair as domain key pair, but generate a separate pair of keys! @@ -20,6 +20,14 @@ csrb.sign(domainKeyPair); byte[] csr = csrb.getEncoded(); ``` +It is a good idea to store the generated CSR somewhere, as you will need it again for renewal: + +```java +try (FileWriter fw = new FileWriter("example.csr")) { + csrb.write(fw); +} +``` + Now all you need to do is to pass in a binary representation of the CSR and request the certificate: ```java @@ -65,7 +73,19 @@ The number of domains per certificate may also be limited (_Let's Encrypt_ curre ## Renewal -Renewing your certificate depends on the CA. Some may require you to go through the authorization process again, while others may just provide an updated certificate for download at the `certUri` above. +Certificates are only valid for a limited time, and need to be renewed before expiry. To find out the expiry date of a `X509Certificate`, invoke its `getNotAfter()` method. + +For renewal, just request a new certificate using the original CSR: + +```java +PKCS10CertificationRequest csr = CertificateUtils.readCSR( + new FileInputStream("example.csr")); + +URI certUri = client.requestCertificate(account, csr.getEncoded()); +X509Certificate cert = client.downloadCertificate(certUri); +``` + +Instead of loading the original CSR, you can also generate a new one. So renewing a certificate is basically the same as requesting a new certificate. ## Revocation