Re: It's possible to renew a ca ?

Tue, 29 Jan 2008 12:13:12 -0800 

On Mon, Jan 28, 2008 at 05:02:05PM +0100, Guy Deleeuw wrote:

> Hello all,
> 
> I'm new on the list.
> I create a CA in 2003 and she have expired yesterday.
> 
> It is possible to renew the CA without re create all clients certificates ?
> 

With great care, yes. You must use the same private key, the same DN, serial
number and the same key-id if applicable. For example in the cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e7:ed:11:3a:5f:51:0d:4d
        Signature Algorithm: ecdsa-with-SHA1
        Issuer: C=US, ST=New York, L=New York, O=Example Corp, CN=Insecure 
CA/[EMAIL PROTECTED]
        Validity
            Not Before: Jan 11 05:17:59 2008 GMT
            Not After : Jan 11 05:17:59 2018 GMT
        Subject: C=US, ST=New York, L=New York, O=Example Corp, CN=Insecure 
CA/[EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e6:0e:ec:fe:04:df:13:5d:78:f7:c4:52:a1:94:
                    ee:19:09:13:b4:59:7d:d0:a2:73:38:ef:42:b8:40:
                    a1:d5:03:5b:18:e2:2b:6c:05:87:22:bb:5a:af:6a:
                    82:b5:d5:03:0e:07:8c:40:cc:43:b8:1c:2d:09:cc:
                    97:a0:eb:e5:06
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00
            X509v3 Authority Key Identifier:
                
keyid:0E:D4:AA:B1:09:91:7C:36:60:EA:56:4E:9C:57:00:AF:9C:4D:02:00
                DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure 
CA/[EMAIL PROTECTED]
                serial:E7:ED:11:3A:5F:51:0D:4D

    Signature Algorithm: ecdsa-with-SHA1
        30:43:02:1f:7e:e3:7c:d8:de:56:fb:f1:dd:e2:1a:5a:fb:45:
        24:f4:18:24:8a:a0:fa:fc:f5:6e:88:ce:25:20:89:4d:9d:02:
        20:71:86:6c:eb:a7:58:00:b1:b7:d4:e6:0c:03:d2:27:73:cd:
        e9:30:91:f7:7a:dc:9d:fd:a4:91:0c:91:05:a8:27

The "Authority Key Identifier" extension must not change when the self-signed
certificate is re-issued.

To re-sign the CA cert, set the "serial" option to a file with the serial
number of the old CA, adjust other ".cnf" file options as necessary and
generate the new CA cert.

    openssl ca -batch \
            -md sha1 \
            -config ca.cnf \
            -keyfile oldkey.pem \
            -cert oldcert.pem \
            -ss_cert oldcert.pem \
            -extensions ca_cert \
            -days $days \
            -out newcert.pem

With appropriate setings in ca.cnf and the "ca_cert" section there-in. You
may want some of the following:

    [ ca_cert ]
    basicConstraints        = critical,CA:true
    subjectKeyIdentifier    = hash                          # this first
    authorityKeyIdentifier  = keyid:always, issuer:always   # and now this

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to