I cannot renew my certificates

See also: How to renew a certificate

Problem #1

"Now renewing the following certificates:
Your certificate request has failed to be processed correctly, please
try submitting it again.Your certificate request has failed to be
processed correctly, please try submitting it again."

Unofficial answer from the CAcert support mailinglist:

You may verify you have loaded the certificate in the browser your using to renew the cert.

This is a known issue and has been reported several times. The underlying database on CAcert has changed to add new features. Your old certificate is missing some details so it cannot be renewed until these records have been fixed manually.

We are hopeful that this issue will be fixed in the near future (Hope dies last). For the time being the best solution is to let your old certificate expire and generate a new one.

Problem #2

--- Problem:
One tries to renew a certificate (NOT to request a new one) via CAcert's
website, but keeps getting the following error message:
"Now renewing the following certificates:
Your certificate request has failed to be processed correctly, please try
submitting it again."
--- Reason:
There was a database change about a year ago, which made some, but not all,
older certificates unrenewable.
--- The only solution:
Create a new certificate.
---- Disadvantage:
One has to send the (new public key from the) new certificate to all his
correspondents.
This only requires to send them one digitally signed mail requesting them to
store the new certificate. Depending on the settings Outlook Express 5 (and
may be others as well) handle this (storage) automatically.
--- Remark:
Because this problem does not occur with all older certificates, it was/is
not possible to generate an error message with a more clear explanation
(probably also because of a shortage of programmers combined with other
priorities). All is voluntary work!
/gustav

Problem #3

After I renew an expired certificate on the CAcert website, its public key remains unchanged, but the certificate gains another serial number. This (or possibly another) fact make Windows / Internet Explorer not to assign the renewed certificate to the saved private key. Thus, the certificate renewal remains incomplete. You can see that, because the certificate icon lacks the picture of a key; moreover, in the description of the certificate (if you open it) is missing the sentence: "You have a public key,...".

The resolution using a Linux OS (assuming that both CAcert root certificates are already installed in both Windows and Linux OSes, and in the Mozilla browser):

  1. Export the original (expired) certificate with the related private key into a file suffixed .PFX or .P12 using the Certificates module of MMC.
  2. Import it with its private key into the Mozilla Firefox browser running under the Linux OS.
  3. Then import the renewed certificate. The link of keys succeeds here. Firefox shows both the old and the renewed certificates.
  4. Make a backup of the renewed certificate with the private key (or export it to have a backup) into the file suffixed .P12.
  5. Import that file into Internet Explorer under Windows OS. Now also the private key is imported.
  6. You can check the success by examining the certificate icon (in the module Certificates of the MMC program) or (in the Internet Explorer) that the renewed certificate is added to the Personal list.

The resolution using Windows only (verified in the Windows 10 with Mozilla Firefox version 43.0a2):

  1. Export the original (expired) certificate with the related private key into a file suffixed .PFX or .P12 using the Certificates module of MMC.
  2. Install the Mozilla Firefox for Windows. Mozilla Firefox has its own certificate repository: Options - Advanced - Certificates.
  3. Install both root certificates CAcert (the Authorities list) and the expired client certificate with the private key from the .PFX or .P12 file (the Personal list).

  4. Then import your renewed CAcert client certificate, which is stored in the PEM (suffix .CRT) or DER (suffix .CER) type file. Firefox shows both the old and the renewed certificates.
  5. Backup the renewed certificate with the private key to the PEM formatted file with the .P12 suffix.
  6. Import that file into Windows OS using the certificate module of MMC. Check the success the same way as above.


FAQ/CertificateRenewal (last edited 2016-05-05 06:45:17 by AlesKastner)