Yes, easy, just open openssl.conf in a notepad or another simple text
editor and set it to the desired number of days/years. I have done so
on our internal CA, and it simply works.
If you wish to increase (not decrease) the validity length of your
existing CA, you will need to do the following:
1. Copy all CA data, keys and configuration to another location on
your server disk, the next steps may easily destroy it.
2. Using the existing private key file from the CA and a custom
one-off openssl.conf, create a completely identical CA self-signed
certificate with the same key, the same serial number and all the
same data except for the expiration date which should be the new one.
3. Use the command
openssl x509 -in yourcacart.crt -noout -text > yourcacert.txt
to produce text dumps of both the old an new CA certificate.
4. Compare the two text files to make sure there are no unintended
differences between the old and new CA cert.
5. Copy the new CA cert file to third location on your server hard
disk.
6. Restore the CA backup from step 1.
7. Copy the new CA cert file on top of the existing CA cert file in
the configuration.
If you wish to increase (not decrease) the validity length of a
certificate issued by your existing CA (within the validity period of
your existing CA, which you may just have increased), you will need
to do the following:
1. Find the original CSR in the archives of your CA server.
2. Sign the certificate again, this time overriding the validity
length requested in the CSR to give the certificate a longer validity
period.
3. Send the new certificate to the user or service that needs it.
On 19-10-2010 09:47, Lutz Jaenicke wrote:
Forwarded to openssl-users for discussion.
Best regards,
Lutz
----- Forwarded message from Santhosh AP<apsanthosh.ku...@sifycorp.com> -----
Reply-To: santhosh...@sifycorp.com
From: Santhosh AP<apsanthosh.ku...@sifycorp.com>
To: r...@openssl.org
Subject: default_crl_days= 365
Date: Tue, 19 Oct 2010 10:16:09 +0530
Thread-Index: ActvSItTKvsOwU5sQvG6vwyuLJ0ymA==
Hi Team,
We had 1x server in our organization, one difficulty we are facing is
default validity of digital certificate is 365 days. Is it possible to edit
the same to 2 or 3 years? Requesting to revert on this "default_crl_days"
configuration in openssl.conf.
Regards
Santhosh AP
Sify Ltd, Chennai.
Get your world in your inbox!
Mail, widgets, documents, spreadsheets, organizer and much more with your
Sifymail WIYI id!
Log on to http://www.sify.com
********** DISCLAIMER **********
Information contained and transmitted by this E-MAIL is proprietary to
Sify Limited and is intended for use only by the individual or entity to
which it is addressed, and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If this is a
forwarded message, the content of this E-MAIL may not have been sent with
the authority of the Company. If you are not the intended recipient, an
agent of the intended recipient or a person responsible for delivering the
information to the named recipient, you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited. If you have
received this communication in error, please delete this mail& notify us
immediately at ad...@sifycorp.com
----- End forwarded message -----
--
Lutz Jaenicke jaeni...@openssl.org
OpenSSL Project http://www.openssl.org/~jaenicke/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
