Le 26/08/2009 22:16, Patrick Patterson a écrit :
Hi there:
Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
$CAPREFIX it_root_ca.key (PKI private key) .
but here's what I get :
[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650
-CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out
it_root_ca2.crt
The simplest way to do this is:
openssl x509 -signkey it_root_ca.key -in it_root_ca.crt -clrext -out
it_root_ca2.pem -days 3650 -set_serial 01 -extfile openssl.cnf -extensions
your_new_ca_extensions
Now, what are the contents of your openssl.cnf:
You SHOULD (for a Root CA) have a section something similar to:
[your_new_ca_extensions]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
That's it, that's all.
OK, I use both of the command I've been given, and now it works :-)
openssl x509 -signkey ca.key -set_serial $SERIAL -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in ca.crt -out
new_it_root_ca6.crt
or
openssl x509 -set_serial $SERIAL -clrext -extfile openssl.cnf -days 5475 -CA
it_root_ca.crt -CAkey it_root_ca.key -in it_root_ca.crt -out it_root_ca4.crt
My new root CA is at
http://www.it-sudparis.eu/pki/IT_MASTER_CA/newitrootca.crt
But, now I start to configure an http server reading that new Root CA,
but apparently a browser going to
https://svnext.it-sudparis.eu/ still shows in the "details" tab, the
Root CA (class1) as the "old" one !?
Here's the relevant httpd ssl.conf directives
SSLCertificateFile /etc/pki/tls/certs/svnext.pem
SSLCertificateKeyFile /etc/pki/tls/private/svnext.key
SSLCertificateChainFile /etc/pki/tls/certs/new_ca-chain-institut-telecom.crt
SSLCACertificateFile /etc/pki/tls/certs/newitrootca.crt
( cat evry_ca.crt ; cat itca.crt ; cat newitrootca.crt ) >
new_ca-chain-institut-telecom.crt
I can check old root CA and New root Ca based on "not after" dates for
exemple:
in the Browser, not after reads
(04/02/2023 16:48:16 GMT)
although it should read
[r...@svnext /etc/pki/tls/certs]
$ openssl x509 -in newitrootca.crt -text | grep "Not After"
Not After : Aug 23 09:37:00 2024 GMT
I wonder if browsers do read root CA from SSLCACertificateFile or if the
deduce it from SSLCertificateFile /etc/pki/tls/certs/svnext.pem !?
in that case it means that I will have to re-sign all my servers :-( ?
also, If I test my server with openssl s_client
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/newitrootca.crt -showcerts
CONNECTED(00000003)
depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
verify error:num=20:unable to get local issuer certificate
verify return:0
Same request with -CAfile pointing to the "old/original" itrootca.crt :
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/itrootca.crt -showcerts
CONNECTED(00000003)
depth=3 /CN=Institut TELECOM Root class1 Certificate
Authority/O=Institut TELECOM/C=fr
verify return:1
depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
verify return:1
depth=1 /CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
verify return:1
depth=0 /C=fr/ST=Essonne/L=Evry/O=Telecom et Management
SudParis/OU=s2ia/CN=svnext.int-evry.fr
verify return:1
I'am confuse, do I have to resign other certificates (2level sub-CA, 3rd
level sub-sub-CA, hundreds of servers ... :-( ) , or I misconfigured my
apache server !?
PS: recall my hierarchie
IT_ROOT_CA
|
-------------IT_CA--------------
| | |
Evry_CA Paris_CA Brest_CA
|
|------------|
www imap ....
