>You need to generate a new certificate with the same data (except a >different serial number and a reference to sha1WithRSAEncryption), >containing the same public key, and signed with the same private key. > >I'd recommend sha256WithRSAEncryption, but that's possibly not an >option for you. > >Make sure that you do not reuse the same serial number, it *will* >cause problems (particularly for such software as Firefox, but also >for anything that's written in an X.509-pedantic mode). > >-Kyle H
Okay, thanks. Would this mean that I need to replace the old root cert with the new one on all clients ? I have certificates that are already in use and the new root cert would have a start date of today, wouldn't it confuse the client when the start date of the cert is older than that of the root cert ? Also I managed to convert the existing root cert from md5 to sha1 with openssl x509 -sha1 -inform pem -outform pem -in cacert.pem -out cacertsha1.pem -signkey cakey.pem this recreates the cert with sha1 but it also resets the startdate to <now>. I tried using -startdate and -enddate but openssl moans that it doesn't recognize the date as option. I tried 'Jan 01 10:37:30 2014 GMT' as well as the YYMMDDHHMMSSZ, both don't work. Thanks, Stephan >On Tue, Apr 15, 2014 at 1:41 AM, <steff...@gmx.de> wrote: >> Hello world, >> >> I am running my own little CA and the root certificate was created using md5: >> >> Signature Algorithm: md5WithRSAEncryption >> >> I need to change this do sha1 because I have clients that do not accept md5 >> anymore. Is there any way to convert the existing cert from md5 to sha1 ? I >> tried converting it to another format and then reimporting it using -sha1 >> but this doesn't work. >> >> Thanks, >> Stephan ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
