Re: renewing a CA

Kyle Hamilton Fri, 15 May 2009 15:54:51 -0700

Please post the openssl x509 -noout -text output of your client certificate?


-Kyle H

On Wed, May 13, 2009 at 2:43 AM, Kent Tong <k...@cpttm.org.mo> wrote:
>
>
>
>> 'the' CA being a private or internal one, obviously.
>> (I assume this CA is also trusted by some/all people you communicate
>> with, otherwise you're not accomplishing anything by using it.)
>
> Yes, it is a private CA trusted by all people in our organization.
>
>> I'm not familiar with thunderbird, but how do you determine this?
>
> I can verify that by deleting the CA cert, then Thunderbird will say that my
> personal cert could not be verified.
>
>> It looks to me you did right. You could check by (re)displaying
>> each certfile with openssl x509 -text and verify that only
>> the validity and signature differ, and in particular any
>> attributes relating to keyusage are the same.
>
> Yes, I did. Only the validity and the signature algorithm. Just in case, I'm
> including them below.
>
>> When you 'install' the CAcert can you choose anything
>> about intended or allowed usage? Maybe some tickboxes?
>
> Yes, I checked "can identify web sites" and "can identify mail users".
>
>> Could thunderbird have cached some info about the old
>> CAcert that is now confusing it e.g. a fingerprint?
>
> I don't think so. Is it possible that the signed mails actually contain
> the full chain?
>
>> Could you redo from scratch by making a new install,
>> installing new-CAcert first, then your entity key+cert?
>> (Or on the active copy after a VERIFIED GOOD backup?)
>
> I've tried it on multiple computers with the same effect.
>
>> Also I wonder if the error message might be inaccurate.
>> That sometimes happens in software. Some other problems
>> I can think of that SHOULD be described differently are:
>>
>> - entitycert (separately) expired
>>
>> - entitycert doesn't actually chain correctly
>>
>> As a test, preferably on a copy on a scratch system,
>> could you put the old-CAcert back in, falsify the
>> system date, and check it (still) works?
>
> I'll try. Thanks.
>
>> It doubt it. Any decent software less than 10 years old
>> (and I'm pretty sure thunderbird satisfies that <G>)
>> should support SHA1, and if it didn't it should give a
>> quite different error message. But if you want to test,
>> just add -md5 to your x509 command line.
>
> Tried it and it didn't make any difference.
>
>
> Old cert:
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 0 (0x0)
>        Signature Algorithm: md5WithRSAEncryption
>        Issuer: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
>        Validity
>            Not Before: May 12 05:31:33 2004 GMT
>            Not After : May 11 05:31:33 2009 GMT
>        Subject: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    00:bc:e6:03:28:6b:54:83:c7:6e:f1:65:6e:bc:70:
>                    c1:9e:ee:6d:42:0f:84:14:e5:ee:a9:b6:ec:29:bd:
>                    39:78:cd:40:1c:5e:c0:0c:d0:5b:0b:7f:58:41:17:
>                    cb:ad:2a:f1:0e:fa:45:66:04:33:be:37:dd:ea:ac:
>                    ca:78:1b:49:3b:4f:b2:06:85:3c:69:87:e7:74:85:
>                    e9:91:ee:d0:b1:47:ac:78:a4:c6:ef:06:e2:fe:dd:
>                    22:2a:68:1f:b4:81:f3:9b:3a:ab:1b:9c:5e:46:56:
>                    cc:77:38:cc:a1:c3:0b:b0:f7:4c:ad:eb:90:6b:2c:
>                    10:bd:d4:cb:1d:99:c6:58:f7
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            X509v3 Subject Key Identifier:
>                B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1C
>            X509v3 Authority Key Identifier:
>
> keyid:B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1
> C
>                DirName:/C=MO/ST=Macau SAR/L=Macau/O=CPTTM/CN=CA
>                serial:00
>
>            X509v3 Basic Constraints:
>                CA:TRUE
>    Signature Algorithm: md5WithRSAEncryption
>        5f:c2:97:fb:ce:22:9d:2c:6e:b2:8b:e4:d4:c6:2e:15:e3:a5:
>        de:a2:d4:50:ee:9d:e0:df:c6:96:90:1e:56:00:b5:42:1c:be:
>        cc:de:8e:b5:50:35:72:50:d1:31:91:30:bd:ea:26:74:40:a8:
>        ee:fa:43:aa:70:b9:a1:23:d1:4c:9e:81:26:07:78:d9:77:a1:
>        e9:77:31:65:dc:ba:03:17:60:b4:9f:44:cb:5c:ac:8e:76:f3:
>        c8:d0:c0:fc:05:a0:6b:e3:d5:32:78:a4:b2:b6:71:e2:f6:95:
>        75:57:9a:79:f8:18:32:cc:05:ad:82:a9:b6:d3:85:d2:08:f1:
>        0b:10
>
> New cert:
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 0 (0x0)
>        Signature Algorithm: sha1WithRSAEncryption
>        Issuer: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
>        Validity
>            Not Before: May 11 09:28:37 2009 GMT
>            Not After : May  9 09:28:37 2019 GMT
>        Subject: C=MO, ST=Macau SAR, L=Macau, O=CPTTM, CN=CA
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    00:bc:e6:03:28:6b:54:83:c7:6e:f1:65:6e:bc:70:
>                    c1:9e:ee:6d:42:0f:84:14:e5:ee:a9:b6:ec:29:bd:
>                    39:78:cd:40:1c:5e:c0:0c:d0:5b:0b:7f:58:41:17:
>                    cb:ad:2a:f1:0e:fa:45:66:04:33:be:37:dd:ea:ac:
>                    ca:78:1b:49:3b:4f:b2:06:85:3c:69:87:e7:74:85:
>                    e9:91:ee:d0:b1:47:ac:78:a4:c6:ef:06:e2:fe:dd:
>                    22:2a:68:1f:b4:81:f3:9b:3a:ab:1b:9c:5e:46:56:
>                    cc:77:38:cc:a1:c3:0b:b0:f7:4c:ad:eb:90:6b:2c:
>                    10:bd:d4:cb:1d:99:c6:58:f7
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            X509v3 Subject Key Identifier:
>                B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1C
>            X509v3 Authority Key Identifier:
>
> keyid:B4:79:E5:05:D8:43:2D:E7:C2:C9:67:C7:44:03:30:AB:9A:E0:BD:1
> C
>                DirName:/C=MO/ST=Macau SAR/L=Macau/O=CPTTM/CN=CA
>                serial:00
>
>            X509v3 Basic Constraints:
>                CA:TRUE
>    Signature Algorithm: sha1WithRSAEncryption
>        ab:e3:08:e6:50:1b:1d:40:65:09:6b:d4:9c:bb:5a:01:4e:8f:
>        36:5e:5a:e6:8b:b0:2b:71:e5:b8:a3:eb:e2:fd:ba:01:01:b1:
>        52:4a:d7:e9:76:ad:8d:fd:14:13:46:f0:7d:e9:eb:88:8c:eb:
>        d3:4f:e5:92:28:36:03:28:f2:37:93:0d:8e:29:68:5b:98:92:
>        80:3f:20:99:47:1e:3a:0e:48:00:ca:ae:51:54:3b:90:51:54:
>        52:b9:7d:7c:75:6d:99:9e:73:27:50:1a:f2:eb:2f:4d:cd:8a:
>        5e:a8:1d:10:d2:42:7c:b7:ac:95:b8:47:55:f9:82:c8:17:61:
>        5f:f6
>
>
> -----
> --
> Kent Tong
> Wicket tutorials freely available at http://www.agileskills2.org/EWDW
> Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA
> --
> View this message in context: 
> http://www.nabble.com/renewing-a-CA-tp23497730p23518626.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: renewing a CA

Reply via email to