> > "Is it possible to extend the expiry of this certificate > > without changing any other fields in the certificate?" > > > > to which it seems that the answer is > > > > "Yes", > > How could the answer be anything other than yes?
All too easily. Because as you ourself point out, such a change would invalidate the signature. And if a new signature is acquired - for all practical purposes it is a new certificate, regardless of how much in common it happens to have with the old one. > Could there > be some mysterious force that compels you to change other fields? I never heard that there was a "minimal change" that was allowed without invalidating the cert. :-) > Or you can argue that the answer is "no", since you have to > at least change the signature and you pretty much have to > change the serial number. Exactly! > And the OP replies: > > > Yes. Thats what I was trying to ask. So, how can > > I change the expiry date of an existing certificate > > without changing any other field ? Is > > there any openssl command that I may use ? > > Did you not read or understand my answer? There is no > difference between changing the date on the old certificate > and issuing a new certificate. If one wants to preserve the old serial number and old signatures - the answer is "no-how, no way". If one wants to have the same cert with a new expiration date - then just get a new cert with that one change (like David described). > Just issue a new certificate the same way you issued the > original one, changing only the expiration date (and the > signature, if you want). Tell everyone you changed the > expiration date on the original, they won't be able to tell > that you're lying. Yes! :-) And how can the signature not be changed? It's a different stream of bits (from the original cert), so it necessarily requires a new (different) signature. > Sorry if this sounds like insane ranting. I'm really > trying to be helpful, but it seems like it didn't sink > in the first time. :-) Let's see how the 2nd iteration goes. :-) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
