Thnx a lot for your detailed answer. I already started following your recommandations and created a new CA.crt based on the given "old" ca.key and also created a new CSR (also based on its "old" key) and signed it with the "new" CA to get a new CRT.
The new CRT is perfectly accepted by all clients (webbrowsers) even if they have the old CA.CRT installed. So I've time to distribute the "new" CA.CRT until the "old" CA.CRT expires. I tested this scenario by chaning clock of some clients. IE5.5 will then claim, that the certificate itself has expired .. thnx again, peter On Mon, Feb 17, 2003 at 09:10:39AM -0500, Markus Lorch wrote: > > > > On my little system I've three types of self created certificates that > > will all expire this year (I didnt pay much attention to expiration > > when first creating them). > > > > I'm now looking for a way how to extend this validity without > > recreating the > > certificates and therefore breaking existing trust-relation. > > There is no way to extend certificate validity (other than chaning your > computer clock - not recommended) but you can issue a new certificate > with > the same keypair used originaly (standard procedure for renewal) > > but because you maintain the keys you are not breaking any trust > relations > > > > > i) my CA. I have the key-file and the crt-file. > > If I need to recreate this I need to recreate and resign all > > certificates of type ii) also and I'll need to redistribute the new CA > > to all clients that have this cert installed. > > only the cert file needs recreation and yes, all the clients will have > to > have the new cert (watch out to use the same subject as well, i.e. > create a > new, identical certificate that only differs in the validity and serial > number) > > > > > ii) the certificates signed by the above CA. This are mostly > > certificates > > for virtual hosts with my apache. I've the key-file and the > > crt-file and even the csr-file. > > > > none of these need to be recreated because of the new CA certificate, > however > if these certs expire themselves then you also need to renew them. Same > as before, > only the certs need renewal - key pairs can be maintained > > > iii) selfsigned certificates I use for securing mailtransfer. > > I have the pem-file in this case. > > same as above, create a new cert but maintain the key. But actually you > can > simply reuse you expired cert as they are self-signed, you (and nobody > else) > trusts your certs. All the trust is directly in your public-private key > pair. > > > > I hope that I can extend the validity with openssl without > > recreating. > > > > nope, that's what makes certificates safe. > > Markus > > > > > > > thnx, > > peter > > > > -- > > mag. peter pilsl > > IT-Consulting > > tel: +43-699-1-3574035 > > fax: +43-699-4-3574035 > > [EMAIL PROTECTED] > > http://www.goldfisch.at > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
