On 24/02/2023 00:20, Bo Berglund wrote:
[...snip...]
I'll let others follow up on the easy-rsa usage.
This renewed certificate uses the original entity private key.
This expiration business, does it apply only to crt files?
With all other files remaining the same over time?
Yes. The certificate files (".crt") are basically a public key with
some meta data and a signature done by the CA. This signature is there
to ensure the meta data has not been modified after the certificate was
issued.
The meta data is information about who the certificate belongs to
(Certificate Subject), validity (start/end dates; hereby the expiry
dates), who signed the certificate and the intended usage for this
public key.
The signature in a certificate can be validated by having a copy of the
public key of the CA, hence you have the CA certificate distributed.
By keeping the private key the same, the public key (which is derived
from the private key) stays the same. And when keeping the meta data
the same - with the exception of the expiry time, it is basically just
the validity and CA signature which changes in the certificate.
In that context, you can basically say that the Certificate Signing
Request (the ".csr" file) is the public key + some meta data which the
CA signs, which then has the certificate (".crt") as the output. During
the signing process, the CA verified the suggested meta data. But the
CA may decide to modify this information before signing it. The only
thing the CA cannot change, is the public key attached to the CSR.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
