> I know this is a noob question but I have inherited an
> existing CA based on openssl. I need to change some
> existing certificates from 512 bit to 2048 bit. I have
> the private keys and was wondering if the proper
> approach was to renew the certificate and modify them
> there? Or is this not possible? Possible but through
> another mechanisms?
Dear Ray:
Your question is unclear. I assume that you are referring
to RSA keys with 512 bit and 2048 bit modulus, correct?
Even then, your question is needs additional clarification.
Do the existing certificates issued by your CA for each
entity have:
1) a 512 bit RSA public key that corresponds to that
entity's 512 bit RSA private key
2) a digital signature that was generated by the CA's 512
bit RSA private key when signing the certificate
In the case of (1), each entity needs to generate a brand new
RSA private key with a 2048 bit RSA modulus, and then issue a
certificate requested (which need to be validated) before the
CA can issue the replacement certificates.
In the case of (2), if you have a copy of the original
certificate requests, you can simply re-sign them with your
new 2048 bit RSA signing key for your CA. Or if you don't,
you can use openssl and other tools to extract the data from
any issued certificate (RSA public key, X509 subject, X509v3
extensions, etc.) and then re-issue brand new certificates
from that data, which you then sign with your new 2048 bit
RSA signing key for your CA. Note that for (2) you will
need to generate a brand new CA (root) self-signed
certificate that contains the corresponding 2048 bit RSA
public key of the CA signing key. Also that new CA
certificate should also have a different subject to
distinguish it from the old CA root certificate.
Alicia.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
