The Authority Key Identifier should be the ID of the CA's key. The
Subject Key Identifier should be the ID of the certified key. If
they are the same, then it is a self-signed certificate. (This
information comes from http://oasis-pki.org/pdfs/AKID_SKID1-af3.pdf
-- I'm not sure how OpenSSL derives the key identifiers, but it
really shouldn't matter since the key identifier is essentially
turned into an arbitrary generator-specified nym by that same PDF.)
You made a typo in your tests.
openssl x509 -in ocspss.pem -days 1024 -out ocspss2.pem -CA ca.pem -
CAserial serial
See the ocspss2.pem there?
a dump of ocspss.pem (worked) gives:
Since ocspss.pem was supposed to be a self-signed cert, and
ocspss2.pem wasn't, can you please post the dump of the ocspss2.pem
and test it?
(Also, if you can post the dump of ca.pem, it would help track down
or eliminate AKID/SKID issues.)
[And, this is also barring any odd circumstance like 'outside CA
validity period' or 'trying to sign for longer than the CA is
valid'. A dump of ca.pem will help determine that, as well.]
Thanks!
-Kyle H
On Oct 24, 2007, at 10:09 PM, Simon McMahon wrote:
I just noticed in the extensions of the certificates that the
"Subject Key
Identifier" and "Authority Key Identifier" match in the one which
works
and are different in the one which fails. This may explain the
verification failure.
Looks like openssl has just copied the extensions without looking
at them.
It probably should update the "Authority Key Identifier" if it is
present
in the extensions.
Simon McMahon
Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
25/10/2007 02:48 PM
Please respond to
openssl-users@openssl.org
To
"Kyle Hamilton" <[EMAIL PROTECTED]>
cc
openssl-users@openssl.org
Subject
Re: refresh validity dates on a certificate
Great idea!
That certainly should work but didn't for me.
My openssl is "OpenSSL 0.9.8b 04 May 2006"
The 1st command worked fine and gave a self-signed cert that looked
fine.
See below for a dump of it.
openssl x509 -in sslcln.pem -days 1024 -out sslcln2.pem
-signkey sslcln.pem
The 2nd command returned the same error (see below) as I was getting
before!
openssl x509 -in sslcln2.pem -days 1024 -out
sslcln3.pem -CA
ca.pem -CAserial serial
Note: sslcln.pem and ca.pem both contain the cert & private key.
To make sure I wasn't just doing it wrong I tried it on another
self-signed cert, created normally (for ocsp) with "openssl req -
new -x509
..."
openssl x509 -in ocspss.pem -days 1024 -out
ocspss2.pem -CA
ca.pem -CAserial serial
This worked fine, updating the validity preserving the extensions as I
needed.
Did I do something wrong in command 1?
error from command 2:
Loading 'screen' into random state - done
Getting CA Private Key
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
error with certificate - error 20 at depth 0
unable to get local issuer certificate
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
error with certificate - error 21 at depth 0
unable to verify the first certificate
a dump of sslcln2.pem (not working) gives:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
CN=sslcln
Validity
Not Before: Oct 25 04:00:23 2007 GMT
Not After : Aug 14 04:00:23 2010 GMT
Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
CN=sslcln
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
9f:34:e0:8e:f5:25:f0:73:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8B:44:9A:12:AE:E1:D0:7F:6F:0C:60:87:1E:A6:8A:D8:9C:3D:57:57
X509v3 Authority Key Identifier:
keyid:89:9E:C2:C4:E6:87:4E:C2:DC:9E:DE:A7:D5:BE:64:F6:BF:2C:1E:2C
X509v3 Subject Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16:3a:
32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87:1c:
ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc:df:
9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e:3e:
d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53:df:
26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90:c8:
1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7:5d:
df:f7
a dump of ocspss.pem (worked) gives:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ce:f1:9e:49:5a:60:ca:63
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
CN=ocspss
Validity
Not Before: Oct 6 06:53:16 2006 GMT
Not After : Oct 5 06:53:16 2009 GMT
Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
CN=ocspss
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:df:2b:01:4f:21:f0:ba:3d:e1:e3:e2:02:a2:c0:
9e:82:a4:e3:a7:7a:d4:84:6e:fe:a8:5e:26:a5:ff:
80:80:d2:6e:7e:24:4d:ad:ca:b6:f6:c5:9b:b4:02:
9b:39:ca:9d:b4:48:99:6f:43:d6:f8:58:b8:ff:29:
21:3f:35:40:d3:40:dd:8f:a8:36:f2:3e:5e:ed:72:
5f:01:00:40:b5:9d:5c:3e:92:a3:7d:4b:a8:51:22:
dd:6d:ab:e2:a6:f1:e1:52:30:bb:64:4b:82:33:af:
bc:23:2e:4e:0d:5b:d5:b7:71:2f:64:52:cc:78:d0:
53:9d:ad:2b:ef:7e:16:21:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
Netscape Comment:
OpenSSL Generated OCSP Certificate
X509v3 Subject Key Identifier:
AB:66:CE:08:DD:F2:3F:9E:45:67:69:D4:05:8C:28:85:0C:F6:08:18
X509v3 Authority Key Identifier:
keyid:AB:66:CE:08:DD:F2:3F:9E:45:67:69:D4:05:8C:28:85:0C:F6:08:18
X509v3 Subject Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
65:6f:a9:c8:b2:e5:83:e6:20:c5:00:55:61:df:ee:ee:45:1d:
ff:fb:3e:87:1b:2e:b5:92:d3:ce:a5:8e:06:22:1d:73:eb:68:
59:45:a1:51:e4:a6:9d:e9:d4:10:c9:a7:2d:a4:3b:34:49:0a:
3c:fa:9f:a1:16:49:6f:f1:5c:07:6b:05:40:1d:0f:1e:05:71:
43:60:b9:d5:32:f6:d7:a8:6b:9c:5e:8e:1b:e9:ab:d8:51:96:
a1:cd:79:c4:6a:4d:5d:e5:d4:9f:10:a8:86:b4:4e:ab:8a:97:
70:7e:13:39:c9:0c:2d:38:4b:2e:ae:21:f7:b7:3a:a0:82:03:
c3:fd
Simon McMahon
"Kyle Hamilton" <[EMAIL PROTECTED]>
25/10/2007 01:09 PM
To
openssl-users@openssl.org, Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
cc
Subject
Re: refresh validity dates on a certificate
What I would do is a pair of commands:
$ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days
1024 -signkey currentkey.pem
$ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial
serial -out refreshedcert.pem -outform PEM
Since you're creating a self-signed cert in the first command, the
input is appropriate for the -CA function.
Note, under the BUGS section of the 'x509' man page, it says:
"Extensions in certificates are not transferred to certificate
requests and vice versa." So you can't just convert to request and
then sign the request. However, extensions are retained from cert to
cert if you don't use the -clrext option.
-Kyle H
On 10/24/07, Simon McMahon <[EMAIL PROTECTED]> wrote:
I found this in the pkcs#12 FAQ:
<snip>
2. Extend the CA expiry date with e.g.:
openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -
signkey
demoCA/private/cakey.pem
...
This is almost correct for me, and it even preserves the
extensions, but
it always produces a self-signed cert by resetting the issuer.
I also tried the following, where my cert is in ee.pem (signed by
ca.pem):
openssl x509 -in ee.pem -days 1024 -out ee_1.pem
-CA
ca.pem -CAserial serial
It fails like this:
Loading 'screen' into random state - done
Getting CA Private Key
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 20 at depth 0
unable to get local issuer certificate
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 21 at depth 0
unable to verify the first certificate
The doc says "Without the -req option the input is a certificate
which
must be self signed" and the ee cert obviously isn't self-signed. Is
there
any command options that can get this to work?
I can write a program to do this but since it works already for
self-signed certs, I would have thought it would already be in
openssl.
Any reason why it's not in the 'openssl' command line tool?
If I patch the openssl tool to add this will it get integrated
into the
main code base? I.e. would anyone else use this to refresh end-user
certs?
Simon McMahon
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
