On Wed, Oct 17, 2007 at 12:43:03PM -0700, Jim Fox wrote: > > >I have a private CA certificate created using openssl command line. The > >issue is that the certificate expires on 19th Oct, 2007. The question is > >that "Is it possible to extend the expiry of this certificate without > >changing any other fields in the certificate?" Basically, I want to > >continue > >using this CA Cert to sign end-user certs for a longer time. > >Any help will be appreciated. Thanks. > > > > Use the same key and the same DN and the cert will continue > to act as a valid CA for any other certs you have signed.
Also the same serial number and authority identifier in v3 extensions if present in the expiring CA cert, for example: ... Serial Number: c5:30:80:16:44:78:d9:12 ... X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40 X509v3 Authority Key Identifier: keyid:F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40 DirName:<CA DN> serial:C5:30:80:16:44:78:D9:12 ... If any of this information changes, certificates will fail verification. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]