Well again folks, thanks once more for your comprehensive help.
Larry Bugbee schrieb:
On Mar 24, 2008, at 9:28 AM, Andreas Grimmel wrote:
I found this command somewhere in a forum:
openssl x509 -in cacert-old.pem -days 1460 -out cacert-new.pem
-signkey private/cakey.pem
- in my understanding, this command takes the old cert, changes the
validity to four more years (1460 days), and generates the new cert
signed with the same old private/cakey.pem - somewhat logically.
No, that command resigns the cert but all the identity and expiry info
is identical. You will need to create a fresh CSR with the same
identity info to get a new expiry.
But: opposite to that, *I* would have used this command, as I did
when creating the original (old) CA cert:
openssl req -new -x509 -days 1460 -key private/cakey.pem -out cacert.pem
- means to just create a new cert using the same old
private/cakey.pem again.
As I can see, the only difference would be that in the upper command,
I probably don't have to enter the ASN1 DN credentials like CN/ST and
so on again, since this would be taken from the old cert
Am I correct here?
No. The first command just resigns the cert. Its expiry remains
unchanged. Use the second command and be sure to type exactly what
was on the old cert. Confirm with a -text. Test.
