> > On my little system I've three types of self created certificates that > will all expire this year (I didnt pay much attention to expiration > when first creating them). > > I'm now looking for a way how to extend this validity without > recreating the > certificates and therefore breaking existing trust-relation.
There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations > > i) my CA. I have the key-file and the crt-file. > If I need to recreate this I need to recreate and resign all > certificates of type ii) also and I'll need to redistribute the new CA > to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) > > ii) the certificates signed by the above CA. This are mostly > certificates > for virtual hosts with my apache. I've the key-file and the > crt-file and even the csr-file. > none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained > iii) selfsigned certificates I use for securing mailtransfer. > I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. > > I hope that I can extend the validity with openssl without > recreating. > nope, that's what makes certificates safe. Markus > > thnx, > peter > > -- > mag. peter pilsl > IT-Consulting > tel: +43-699-1-3574035 > fax: +43-699-4-3574035 > [EMAIL PROTECTED] > http://www.goldfisch.at > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]