RE: refresh validity dates on a certificate

Wed, 24 Oct 2007 19:10:11 -0700 

I found this in the pkcs#12 FAQ:

<snip>
2.      Extend the CA expiry date with e.g.: 
openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey 
demoCA/private/cakey.pem 
...

This is almost correct for me, and it even preserves the extensions, but 
it always produces a self-signed cert by resetting the issuer.

I also tried the following, where my cert is in ee.pem (signed by ca.pem):

                  openssl x509 -in ee.pem -days 1024 -out ee_1.pem -CA 
ca.pem -CAserial serial

It fails like this:
Loading 'screen' into random state - done
Getting CA Private Key
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 20 at depth 0
unable to get local issuer certificate
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 21 at depth 0
unable to verify the first certificate

The doc says "Without the -req option the input is a certificate which 
must be self signed" and the ee cert obviously isn't self-signed. Is there 
any command options that can get this to work?

I can write a program to do this but since it works already for 
self-signed certs, I would have thought it would already be in openssl.
Any reason why it's not in the 'openssl' command line tool?
If I patch the openssl tool to add this will it get integrated into the 
main code base? I.e. would anyone else use this to refresh end-user certs?

Simon McMahon




"David Schwartz" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
24/10/2007 05:13 PM
Please respond to
[email protected]


To
<[email protected]>
cc

Subject
RE: refresh validity dates on a certificate







> I just saw the "RE: Changing the expiry date of a cert" thread
> but I think
> my question is a little different.
>
> My certs are not CA certs they are user certs where the only thing I
> really need to preserve are subject, issuer, key & cert extensions. The
> serial # doesn't matter.
>
> The thing I would like to use is "openssl x509" and specify the old cert
> and get a new cert from it with all the extensions preserved.

This capability is not built into the 'openssl' command line tool, but 
it's
pretty close to trivial to write a program to read in a certificate, 
change
the from/to validity dates, sign the certificate, and write out the 
result.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to