> From: owner-openssl-us...@openssl.org On Behalf Of Kent Tong > Sent: Tuesday, 12 May, 2009 04:20
> The cert of the CA has expired. I've renewed the CA cert using: > 'the' CA being a private or internal one, obviously. (I assume this CA is also trusted by some/all people you communicate with, otherwise you're not accomplishing anything by using it.) > openssl x509 -in cacert-old.pem -days 3650 -enddate -out > cacert.pem -signkey private/cakey.pem > > I've also deleted the old CA cert from the mail client > (thunderbird) and install the new CA cert. My existing > personal cert seems to be validated by this new CA cert just fine. > I'm not familiar with thunderbird, but how do you determine this? > However, thunderbird thinks that the existing mails signed by > my personal cert are invalid because "the certificate used to > sign the message was issued by a certificate authority that > you do not trust for issuing this kind of certificate". > > Is this the normal behavior or I did not renew the CA cert properly? > It looks to me you did right. You could check by (re)displaying each certfile with openssl x509 -text and verify that only the validity and signature differ, and in particular any attributes relating to keyusage are the same. When you 'install' the CAcert can you choose anything about intended or allowed usage? Maybe some tickboxes? Could thunderbird have cached some info about the old CAcert that is now confusing it e.g. a fingerprint? Could you redo from scratch by making a new install, installing new-CAcert first, then your entity key+cert? (Or on the active copy after a VERIFIED GOOD backup?) Also I wonder if the error message might be inaccurate. That sometimes happens in software. Some other problems I can think of that SHOULD be described differently are: - entitycert (separately) expired - entitycert doesn't actually chain correctly As a test, preferably on a copy on a scratch system, could you put the old-CAcert back in, falsify the system date, and check it (still) works? > I did notice that the new CA cert uses sha1WithRSAEncryption > as the signature algorithm while the old one uses > md5WithRSAEncryption. Is this the problem? > If so, how to correct it? > It doubt it. Any decent software less than 10 years old (and I'm pretty sure thunderbird satisfies that <G>) should support SHA1, and if it didn't it should give a quite different error message. But if you want to test, just add -md5 to your x509 command line. (Note that MD5 collision attacks are now practical, so it is insecure to use MD5 signatures on adversary-influenced data, here if you issue certs to strangers. For data you create yourself, including your OWN CSR/cert, it's still okay.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
