Ok, the advice sounds clear ;-)
but how could I re-generate my root CA certs without breaking the
chain, knowing that the sub-CA does reference root CA serial ?
sub-Ca X509 extension Authority Key Identifier is :
$ openssl x509 -in /etc/pki/tls/certs/itca.crt -text
X509v3 Authority Key Identifier:
keyid:5E:9B:F0:D7:DD:87:48:52:99:99:DA:4B:4F:E3:9F:82:DE:16:07:C3
DirName:/CN=Institut TELECOM Root class1 Certificate
Authority/O=Institut TELECOM/C=fr
* serial:F9:BF:E3:44:A7:66:2A:A4*
Will the chain still work if the new root CA has a different Serial ?
Anyhow, when I re-generate the root CA cert from the original one (-in
it_root_ca.crt) , I didn't managed to change the Serial :-( , although
I did used "-set_serial".
Here's the full command I used to re-generate it_root_ca.crt with it's
original private key "it_root_ca.key" ( recall the purpose of all these,
is to add extensions "Basic Constraints: CA:TRUE" which happens to lack
from original it_root_ca.crt I signed in the first place :-( .
openssl x509 -signkey it_root_ca.key -set_serial 01 -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in it_root_ca.crt -out
new_it_root_ca10.crt
result is
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt
which has serial *F9:BF:E3:44:A7:66:2A:A4 and not * 01 as stated by
-set_serial in the above command
did I missed something ?
regards .
Kyle Hamilton a écrit :
Never, ever, ever, ever, ever under any circumstances issue the same
serial number twice. You tried to issue the same serial to both roots
-- badbadbadbadbadDONOT.
-Kyle H
On Tue, Sep 1, 2009 at 8:56 AM, jehan
procaccia<jehan.procac...@it-sudparis.eu> wrote:
jehan procaccia a écrit :
I finally found it !
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/new_it_root_ca10.crt -verify 3
verify depth is 3
CONNECTED(00000003)
depth=3 /CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
verify return:1
depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
verify return:1
depth=1 /CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
verify return:1
depth=0 /C=fr/ST=Essonne/L=Evry/O=Telecom et Management
SudParis/OU=s2ia/CN=svnext.int-evry.fr
verify return:1
---
Certificate chain
0 s:/C=fr/ST=Essonne/L=Evry/O=Telecom et Management
SudParis/OU=s2ia/CN=svnext.int-evry.fr
i:/CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
1 s:/CN=TELECOM & Management SudParis class3 Certificate
Authority/OU=TELECOM & Management SudParis/O=TELECOM & Management
SudParis/C=fr
i:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
2 s:/CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
3 s:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
i:/CN=Institut TELECOM Root class1 Certificate Authority/O=Institut
TELECOM/C=fr
Now everything seems ok with that new root CA:
http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt
unfortunatly it's not completely finished :-(
now on clients where I removed the original root-ca and added the new
re-signed root CA ( new_it_root_ca10.crt),
I have a issuer/serial problem when accessing a server configured with the
"old" root CA.
For example going to https://www-cours.it-sudparis.eu/, server which is
configured with the original chain and itrootca CA root,
firefox complains about :
"sec_error_reused_issuer_and_serial"
the same with seamonkey client :
"Your certificate contains the same serial number as another certificate
issued by the certificate authority. Please get a new certificate containing
a unique serial number"
indeed my re-signed root-ca
(http://ca.institut-telecom.fr/pki/IT_MASTER_CA/new_it_root_ca10.crt) does
have the same serial values as the original itrootca.crt
$ openssl x509 -in /etc/pki/tls/certs/new_it_root_ca10.crt -text
...
Serial Number:
f9:bf:e3:44:a7:66:2a:a4
X509v3 Authority Key Identifier:
serial:F9:BF:E3:44:A7:66:2A:A4
...
indeed I supose that when I re-signed my root CA this way:
openssl x509 -signkey it_root_ca.key -set_serial 01 -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in it_root_ca.crt -out
new_it_root_ca10.crt
Then as long as I call the original
-in it_root_ca.crt
in the command above , I suspect it extract the serial from it, no matter
what I set with "-set_serial" openssl option, it does not set anything new
!.
then, here's my question, should I set a new serial in order to not conflict
with the original one, how can I set it ?
if I cannot set a new serial, then it means I should change all my server
ca-chain config in one shot the same day and all my clients browsers
"keystore" :-( ? or is there a soft and clean way to migrate smoothly from
the originalm root-ca and the new one ?
thanks .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
