Renew SSL cert changing key length to 2048 bits without downtime
Since 01.01.2011 a key length of 2048 bits is required for SSL certificates. I need to renew our Entrust certificates, but our system is set up for key lengths of 1024 bits.
I've changed the profile parameter sec/rsakeylengthdefault to 2048 and restarted the system. To let the setting take effect in STRUST, I have to replace PSE. Only then I can create a certificate request that is accepted by Entrust.
After dynamically changing the profile parameter to 1024 again, restoring the previous PSE does not seem to be possible (although the old certificate is not expired yet), I cannot import it as a certificate response any more.
This means, I cannot use this method in the productive system (buying a certificate and distributing it to our customers takes a week). The communication cannot go down for a week.
I can use windows to generate a certificate request with the required length, but I'm not sure that the certificate response can be uploaded in STRUST (after replacing PSE) without problems.
Can you please advice on this?