Re: [openssl-users] question about resigning a certificate

[Jakob Bohm]

(Resending because I accidentally sent this
reply from the wrong addresslast week, and
yes, this is the correct mailing list).

No, don't dump the CA certificate.  Dump one
of the *old* *issued*certificates.

There is nothing to diff against, you need to
see in what ways the *old**issued*
certificates referred to the *old* CA
certificate, and then makesure those values
remain the same in the new CA certificate.

On 18/03/2015 04:20, Alex Samad - Yieldbroker wrote:

Hi

I have done that and compared the output with diff

The only differences are

Serial number

Signature algo

Comment

Signature.

Alex

*From:*openssl-users [mailto:openssl-users-boun...@openssl.org] *On Behalf Of *Jakob Bohm

*Sent:* Wednesday, 18 March 2015 6:50 AM
*To:* openssl-users@openssl.org
*Subject:* Re: [openssl-users] question about resigning a certificate

On 16/03/2015 02:46, Alex Samad - Yieldbroker wrote:

    Hi

    I had a sha1 signed CA and I issued other  identity and CA certificates 
from this CA.

    With the deprecation of sha1 coming, I resigned my original CA (self 
signed) as sha512, with the same creation and expiry dates. I believe the only 
thing changed was the signature and serial number.

    But when I go to verify older certs that were signed by the original CA 
(the sha1 signed one), they are no longer valid.

    I thought if I used the same private and public key I should be okay. I 
thought the only relevant issue was the issuer field and that the CA keys where 
the same . Was I wrong.

    Alex

Run openssl x509 -noout -text -in OneOfYourIssuedCerts.pem | more

Look at what aspects of your CA are mentioned.  For example,
does it include the "X509v3 Authority Key Identifier"
extension, and if so, which fields from the CA cert are
included?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users