Jehan PROCACCIA wrote: > Le 26/08/2009 22:16, Patrick Patterson a écrit : >> Hi there: >> >> >>> Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and >>> $CAPREFIX it_root_ca.key (PKI private key) . >>> but here's what I get : >>> >>> [pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca] >>> $ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650 >>> -CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out >>> it_root_ca2.crt >>> >> >> The simplest way to do this is: >> >> openssl x509 -signkey it_root_ca.key -in it_root_ca.crt -clrext -out >> it_root_ca2.pem -days 3650 -set_serial 01 -extfile openssl.cnf >> -extensions >> your_new_ca_extensions >> >> Now, what are the contents of your openssl.cnf: >> >> You SHOULD (for a Root CA) have a section something similar to: >> >> [your_new_ca_extensions] >> subjectKeyIdentifier=hash >> authorityKeyIdentifier=keyid:always,issuer:always >> basicConstraints = critical,CA:true >> keyUsage = critical, digitalSignature, cRLSign, keyCertSign >> >> That's it, that's all. >> > OK, I use both of the command I've been given, and now it works :-) > > openssl x509 -signkey ca.key -set_serial $SERIAL -clrext -extfile > opensslIT.cnf -extensions v3_ca -days 5475 -in ca.crt -out > new_it_root_ca6.crt > or > openssl x509 -set_serial $SERIAL -clrext -extfile openssl.cnf -days 5475 > -CA > it_root_ca.crt -CAkey it_root_ca.key -in it_root_ca.crt -out > it_root_ca4.crt > > My new root CA is at > http://www.it-sudparis.eu/pki/IT_MASTER_CA/newitrootca.crt > > But, now I start to configure an http server reading that new Root CA, > but apparently a browser going to > https://svnext.it-sudparis.eu/ still shows in the "details" tab, the > Root CA (class1) as the "old" one !? > > Here's the relevant httpd ssl.conf directives > > SSLCertificateFile /etc/pki/tls/certs/svnext.pem > SSLCertificateKeyFile /etc/pki/tls/private/svnext.key > SSLCertificateChainFile > /etc/pki/tls/certs/new_ca-chain-institut-telecom.crt > SSLCACertificateFile /etc/pki/tls/certs/newitrootca.crt > > ( cat evry_ca.crt ; cat itca.crt ; cat newitrootca.crt ) > > new_ca-chain-institut-telecom.crt > > I can check old root CA and New root Ca based on "not after" dates for > exemple: > in the Browser, not after reads > (04/02/2023 16:48:16 GMT) > although it should read > [r...@svnext /etc/pki/tls/certs] > $ openssl x509 -in newitrootca.crt -text | grep "Not After" > Not After : Aug 23 09:37:00 2024 GMT > > I wonder if browsers do read root CA from SSLCACertificateFile or if the > deduce it from SSLCertificateFile /etc/pki/tls/certs/svnext.pem !? > in that case it means that I will have to re-sign all my servers :-( ? > Did you replace the root CA certificate on your client with the new one? Also, did you replace your root CA certificate on the server with the new one?
Until you do this, all of your clients will continue to use the old client. Also, for those few clients that actually chase AIA, you have to replace the root CA certificate with the new one at the original URL. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
