What I would do is a pair of commands: $ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days 1024 -signkey currentkey.pem $ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial serial -out refreshedcert.pem -outform PEM
Since you're creating a self-signed cert in the first command, the input is appropriate for the -CA function. Note, under the BUGS section of the 'x509' man page, it says: "Extensions in certificates are not transferred to certificate requests and vice versa." So you can't just convert to request and then sign the request. However, extensions are retained from cert to cert if you don't use the -clrext option. -Kyle H On 10/24/07, Simon McMahon <[EMAIL PROTECTED]> wrote: > I found this in the pkcs#12 FAQ: > > <snip> > 2. Extend the CA expiry date with e.g.: > openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey > demoCA/private/cakey.pem > ... > > This is almost correct for me, and it even preserves the extensions, but > it always produces a self-signed cert by resetting the issuer. > > I also tried the following, where my cert is in ee.pem (signed by ca.pem): > > openssl x509 -in ee.pem -days 1024 -out ee_1.pem -CA > ca.pem -CAserial serial > > It fails like this: > Loading 'screen' into random state - done > Getting CA Private Key > /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee > error with certificate - error 20 at depth 0 > unable to get local issuer certificate > /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee > error with certificate - error 21 at depth 0 > unable to verify the first certificate > > The doc says "Without the -req option the input is a certificate which > must be self signed" and the ee cert obviously isn't self-signed. Is there > any command options that can get this to work? > > I can write a program to do this but since it works already for > self-signed certs, I would have thought it would already be in openssl. > Any reason why it's not in the 'openssl' command line tool? > If I patch the openssl tool to add this will it get integrated into the > main code base? I.e. would anyone else use this to refresh end-user certs? > > Simon McMahon ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
