> [EMAIL PROTECTED] wrote: > >>I have been trying to renew a certificate geterated for signing emails. >>The renew goes ok. first revoke old one then resign req with new end date >>etc. and I can use the new certificate ok. >> >>However if I try and open an "old" email sent from home using my old >>certificate to sign it - I can't Outlook can't find the private key for >>the message. But if I put the expired certificate back on my windows box >>it does find it and all is well. >> >>Does this mean to open old email I allways need to leave my expired certs >>on the PC, or Have I not managed to re-sign the certificate properly? Or >>is this just the way it works? >> >>I have investigated; and the new certificate has a different serial >> number >>to the old one, if I "fidle" the certifate number and for openssl to >>re-sign the certificate with the same serial number - it works! But I am >>sure you are not suposed to do this! >> >>Anyone any ideas, suggestions? >> >>DEREK >>______________________________________________________________________ >>OpenSSL Project http://www.openssl.org >>User Support Mailing List [EMAIL PROTECTED] >>Automated List Manager [EMAIL PROTECTED] >> >> > I'm afraid that this is "just the way it works". > > One think should be obvious: The private keys have to be available to > read old mails, since otherwise the old mails had to be re-encrypted > with the new private key. > > I'm not sure how you do a "renew" with Outlook. The implementations I've > seen always generate a new private key and a new certification request > if the old cert is expired. If you're working manually with openssl it > is possible to generate a new certificate request for the same private > key, but this new certificate is different from the old one. As you > noticed the serial number, as well as the "Not before"- and "Not > after"-Fields are modified, since the certificate in fact must be a new > one (even if the private keys are the same). So I can imagine that > Outlook cannot match the new certificate with the old mail even if it > has the same public keys. Anyone who knows better please correct me. > > Hope it helps, > Ted > ;) > > -- > PGP Version: 2.6.3i Public Key Information > Download complete Key from ftp://ftp.convey.de/ted/tedkey.asc > Key fingerprint = 26 A9 0C 25 60 15 2C B2 D0 F3 A2 31 3D 35 F3 95 > > I thought it was, interestingly All the certificates are generated centrally and not in responce to a certificate request from outlook, So I am able to regenerate the certificate from the origanal keys and request. So the new certificate has the same public and private keys as the original, but outlook still does not realise it has the correct private key.
The link that outlook appears to use is the serial number, if it does not find a certificate with the same serial number as the one in the message it will not find the private key to decrypt the message. I have proven this by forcing the CA command to produce a new certificate from the original request and original keys with the same serial number. This works - but I was not sure if this is the only way. So I now have to decide, Do I do the above and force renewals to have the same keys, serial number and details from the original req. or do I tell the end users to open old mail they have to have the expired certificates on the system to. I hope the cobversations in this message help others to realize what is going on. All the best. DEREK ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
