On Mar 24, 2008, at 9:28 AM, Andreas Grimmel wrote:
I found this command somewhere in a forum:
openssl x509 -in cacert-old.pem -days 1460 -out cacert-new.pem -
signkey private/cakey.pem
- in my understanding, this command takes the old cert, changes the
validity to four more years (1460 days), and generates the new cert
signed with the same old private/cakey.pem - somewhat logically.
No, that command resigns the cert but all the identity and expiry info
is identical. You will need to create a fresh CSR with the same
identity info to get a new expiry.
But: opposite to that, *I* would have used this command, as I did
when creating the original (old) CA cert:
openssl req -new -x509 -days 1460 -key private/cakey.pem -out
cacert.pem
- means to just create a new cert using the same old private/
cakey.pem again.
As I can see, the only difference would be that in the upper
command, I probably don't have to enter the ASN1 DN credentials like
CN/ST and so on again, since this would be taken from the old cert
Am I correct here?
No. The first command just resigns the cert. Its expiry remains
unchanged. Use the second command and be sure to type exactly what
was on the old cert. Confirm with a -text. Test.
