Alicia, Thank you for getting back to me
I need to take the Root CA certificate/private key and change the modulus from 512 bit to 2048 bit. I assume that I have to make a new Root CA Certificate request and then sign it with the old one? The problem that I have is newer devices are not allowing me to insert our internal CA root as a trust root CA. The error message says the root CA is 512bits and must be 2048 bits before it can be accepted. --- Alicia da Conceicao <[EMAIL PROTECTED]> wrote: > > I know this is a noob question but I have > inherited an > > existing CA based on openssl. I need to change > some > > existing certificates from 512 bit to 2048 bit. I > have > > the private keys and was wondering if the proper > > approach was to renew the certificate and modify > them > > there? Or is this not possible? Possible but > through > > another mechanisms? > > Dear Ray: > > Your question is unclear. I assume that you are > referring > to RSA keys with 512 bit and 2048 bit modulus, > correct? > Even then, your question is needs additional > clarification. > > Do the existing certificates issued by your CA for > each > entity have: > > 1) a 512 bit RSA public key that corresponds to that > entity's 512 bit RSA private key > > 2) a digital signature that was generated by the > CA's 512 > bit RSA private key when signing the certificate > > In the case of (1), each entity needs to generate a > brand new > RSA private key with a 2048 bit RSA modulus, and > then issue a > certificate requested (which need to be validated) > before the > CA can issue the replacement certificates. > > In the case of (2), if you have a copy of the > original > certificate requests, you can simply re-sign them > with your > new 2048 bit RSA signing key for your CA. Or if you > don't, > you can use openssl and other tools to extract the > data from > any issued certificate (RSA public key, X509 > subject, X509v3 > extensions, etc.) and then re-issue brand new > certificates > from that data, which you then sign with your new > 2048 bit > RSA signing key for your CA. Note that for (2) you > will > need to generate a brand new CA (root) self-signed > certificate that contains the corresponding 2048 bit > RSA > public key of the CA signing key. Also that new CA > certificate should also have a different subject to > distinguish it from the old CA root certificate. > > Alicia. > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
