In message <[EMAIL PROTECTED]> on Thu, 26 Feb 2004 12:43:12 +0100, Andreas Feldner <[EMAIL PROTECTED]> said:
feldner> I'm wondering what to do to extend the validity of the feldner> certificate of sort-of a sub-CA. Currently, I'm using the feldner> openssl ca command. The current certificate expires on feldner> 040306161008Z. I tried to generate another one using: feldner> feldner> openssl ca -name ..... -in subcacert.req -startdate 040306161009Z ... feldner> feldner> But, although the expiration date is listed correctly in the feldner> index.txt file, the command complains: feldner> feldner> ERROR:There is already a certificate for <subject dn> feldner> The matching entry has the following details feldner> Type :Valid feldner> Expires on :040306161008Z feldner> Serial Number :01 feldner> File name :unknown feldner> ... feldner> feldner> Any ideas? Should I revoke the old certificate and create feldner> another one right now? Revoking is probably the best idea, except it will eventually end up in a CRL, which is bad since that doesn't really reflect the truth. I'm not sure there's another choice though. A related question: is the new cert made with the same key as the old one? If not, it would probably be a good idea to do a proper certificate roll-over, or the EE certs signed with the old keys will have to be regenerated immediately as well. ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
