Greg Vickers wrote: > Thanks again - we will do a re-key. Would I use the CA.pl script and > put in the same information that is in the original CA certificate? > Will that result in a CA certificate that can be used in browsers etc > and will authenticate web server certificates issued by the old > certificate? I think the answer is: "it depends"
I have just tested this very situation out myself a couple of weeks ago. Had an existing CA which is going to expire in 2007, but now have heaps of client certs out on end-user machines with expiry dates > 2007 (yes, it can be done - don't ask why we did this - too much detail!). So I'd *love* to be able to re-create the CA cert with a longer expiry date. So I did. different expiry date and different serial number from the original - but everything else identical. However, that still makes it a "different" cert. Anyway, I tested a new client cert signed with the new CA against an existing Cisco VPN3000 concentrator which is configured to only accept certs signed by the old CA - it worked!! Then I tried it against an Apache web server configured to only accept client certs signed by the old CA - It failed. Apache didn't recognize the signing CA. So I'm guessing there's a bug in Cisco's VPN solution - as I think Apache was the one acting correctly :-( I really hope someone who knows more than Greg and I can give an authoritative answer to this question. I'd LOVE to know how to recreate a CA cert (instead of creating a new one and having to touch 1000's of machines to update them). But I get the feeling this can't be done -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
