It is not true, because it is possible to extend the validity of a certificate, even with openssl.
You have to create a new certification request, with an extended period of time. Rossi ----- Original Message ----- From: "Markus Lorch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 3:10 PM Subject: RE: extend validity of existing certificates > > > > On my little system I've three types of self created certificates that > > will all expire this year (I didnt pay much attention to expiration > > when first creating them). > > > > I'm now looking for a way how to extend this validity without > > recreating the > > certificates and therefore breaking existing trust-relation. > > There is no way to extend certificate validity (other than chaning your > computer clock - not recommended) but you can issue a new certificate > with > the same keypair used originaly (standard procedure for renewal) > > but because you maintain the keys you are not breaking any trust > relations > > > > > i) my CA. I have the key-file and the crt-file. > > If I need to recreate this I need to recreate and resign all > > certificates of type ii) also and I'll need to redistribute the new CA > > to all clients that have this cert installed. > > only the cert file needs recreation and yes, all the clients will have > to > have the new cert (watch out to use the same subject as well, i.e. > create a > new, identical certificate that only differs in the validity and serial > number) > > > > > ii) the certificates signed by the above CA. This are mostly > > certificates > > for virtual hosts with my apache. I've the key-file and the > > crt-file and even the csr-file. > > > > none of these need to be recreated because of the new CA certificate, > however > if these certs expire themselves then you also need to renew them. Same > as before, > only the certs need renewal - key pairs can be maintained > > > iii) selfsigned certificates I use for securing mailtransfer. > > I have the pem-file in this case. > > same as above, create a new cert but maintain the key. But actually you > can > simply reuse you expired cert as they are self-signed, you (and nobody > else) > trusts your certs. All the trust is directly in your public-private key > pair. > > > > I hope that I can extend the validity with openssl without > > recreating. > > > > nope, that's what makes certificates safe. > > Markus > > > > > > > thnx, > > peter > > > > -- > > mag. peter pilsl > > IT-Consulting > > tel: +43-699-1-3574035 > > fax: +43-699-4-3574035 > > [EMAIL PROTECTED] > > http://www.goldfisch.at > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
