I just noticed in the extensions of the certificates that the "Subject Key
Identifier" and "Authority Key Identifier" match in the one which works
and are different in the one which fails. This may explain the
verification failure.
Looks like openssl has just copied the extensions without looking at them.
It probably should update the "Authority Key Identifier" if it is present
in the extensions.
Simon McMahon
Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
25/10/2007 02:48 PM
Please respond to
openssl-users@openssl.org
To
"Kyle Hamilton" <[EMAIL PROTECTED]>
cc
openssl-users@openssl.org
Subject
Re: refresh validity dates on a certificate
Great idea!
That certainly should work but didn't for me.
My openssl is "OpenSSL 0.9.8b 04 May 2006"
The 1st command worked fine and gave a self-signed cert that looked fine.
See below for a dump of it.
openssl x509 -in sslcln.pem -days 1024 -out sslcln2.pem
-signkey sslcln.pem
The 2nd command returned the same error (see below) as I was getting
before!
openssl x509 -in sslcln2.pem -days 1024 -out sslcln3.pem -CA
ca.pem -CAserial serial
Note: sslcln.pem and ca.pem both contain the cert & private key.
To make sure I wasn't just doing it wrong I tried it on another
self-signed cert, created normally (for ocsp) with "openssl req -new -x509
..."
openssl x509 -in ocspss.pem -days 1024 -out ocspss2.pem -CA
ca.pem -CAserial serial
This worked fine, updating the validity preserving the extensions as I
needed.
Did I do something wrong in command 1?
error from command 2:
Loading 'screen' into random state - done
Getting CA Private Key
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
error with certificate - error 20 at depth 0
unable to get local issuer certificate
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
error with certificate - error 21 at depth 0
unable to verify the first certificate
a dump of sslcln2.pem (not working) gives:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
CN=sslcln
Validity
Not Before: Oct 25 04:00:23 2007 GMT
Not After : Aug 14 04:00:23 2010 GMT
Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
CN=sslcln
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
9f:34:e0:8e:f5:25:f0:73:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8B:44:9A:12:AE:E1:D0:7F:6F:0C:60:87:1E:A6:8A:D8:9C:3D:57:57
X509v3 Authority Key Identifier:
keyid:89:9E:C2:C4:E6:87:4E:C2:DC:9E:DE:A7:D5:BE:64:F6:BF:2C:1E:2C
X509v3 Subject Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16:3a:
32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87:1c:
ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc:df:
9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e:3e:
d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53:df:
26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90:c8:
1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7:5d:
df:f7
a dump of ocspss.pem (worked) gives:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ce:f1:9e:49:5a:60:ca:63
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
CN=ocspss
Validity
Not Before: Oct 6 06:53:16 2006 GMT
Not After : Oct 5 06:53:16 2009 GMT
Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
CN=ocspss
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:df:2b:01:4f:21:f0:ba:3d:e1:e3:e2:02:a2:c0:
9e:82:a4:e3:a7:7a:d4:84:6e:fe:a8:5e:26:a5:ff:
80:80:d2:6e:7e:24:4d:ad:ca:b6:f6:c5:9b:b4:02:
9b:39:ca:9d:b4:48:99:6f:43:d6:f8:58:b8:ff:29:
21:3f:35:40:d3:40:dd:8f:a8:36:f2:3e:5e:ed:72:
5f:01:00:40:b5:9d:5c:3e:92:a3:7d:4b:a8:51:22:
dd:6d:ab:e2:a6:f1:e1:52:30:bb:64:4b:82:33:af:
bc:23:2e:4e:0d:5b:d5:b7:71:2f:64:52:cc:78:d0:
53:9d:ad:2b:ef:7e:16:21:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
Netscape Comment:
OpenSSL Generated OCSP Certificate
X509v3 Subject Key Identifier:
AB:66:CE:08:DD:F2:3F:9E:45:67:69:D4:05:8C:28:85:0C:F6:08:18
X509v3 Authority Key Identifier:
keyid:AB:66:CE:08:DD:F2:3F:9E:45:67:69:D4:05:8C:28:85:0C:F6:08:18
X509v3 Subject Alternative Name:
<EMPTY>
Signature Algorithm: sha1WithRSAEncryption
65:6f:a9:c8:b2:e5:83:e6:20:c5:00:55:61:df:ee:ee:45:1d:
ff:fb:3e:87:1b:2e:b5:92:d3:ce:a5:8e:06:22:1d:73:eb:68:
59:45:a1:51:e4:a6:9d:e9:d4:10:c9:a7:2d:a4:3b:34:49:0a:
3c:fa:9f:a1:16:49:6f:f1:5c:07:6b:05:40:1d:0f:1e:05:71:
43:60:b9:d5:32:f6:d7:a8:6b:9c:5e:8e:1b:e9:ab:d8:51:96:
a1:cd:79:c4:6a:4d:5d:e5:d4:9f:10:a8:86:b4:4e:ab:8a:97:
70:7e:13:39:c9:0c:2d:38:4b:2e:ae:21:f7:b7:3a:a0:82:03:
c3:fd
Simon McMahon
"Kyle Hamilton" <[EMAIL PROTECTED]>
25/10/2007 01:09 PM
To
openssl-users@openssl.org, Simon McMahon/Australia/Contr/[EMAIL PROTECTED]
cc
Subject
Re: refresh validity dates on a certificate
What I would do is a pair of commands:
$ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days
1024 -signkey currentkey.pem
$ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial
serial -out refreshedcert.pem -outform PEM
Since you're creating a self-signed cert in the first command, the
input is appropriate for the -CA function.
Note, under the BUGS section of the 'x509' man page, it says:
"Extensions in certificates are not transferred to certificate
requests and vice versa." So you can't just convert to request and
then sign the request. However, extensions are retained from cert to
cert if you don't use the -clrext option.
-Kyle H
On 10/24/07, Simon McMahon <[EMAIL PROTECTED]> wrote:
> I found this in the pkcs#12 FAQ:
>
> <snip>
> 2. Extend the CA expiry date with e.g.:
> openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey
> demoCA/private/cakey.pem
> ...
>
> This is almost correct for me, and it even preserves the extensions, but
> it always produces a self-signed cert by resetting the issuer.
>
> I also tried the following, where my cert is in ee.pem (signed by
ca.pem):
>
> openssl x509 -in ee.pem -days 1024 -out ee_1.pem -CA
> ca.pem -CAserial serial
>
> It fails like this:
> Loading 'screen' into random state - done
> Getting CA Private Key
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
> error with certificate - error 20 at depth 0
> unable to get local issuer certificate
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
> error with certificate - error 21 at depth 0
> unable to verify the first certificate
>
> The doc says "Without the -req option the input is a certificate which
> must be self signed" and the ee cert obviously isn't self-signed. Is
there
> any command options that can get this to work?
>
> I can write a program to do this but since it works already for
> self-signed certs, I would have thought it would already be in openssl.
> Any reason why it's not in the 'openssl' command line tool?
> If I patch the openssl tool to add this will it get integrated into the
> main code base? I.e. would anyone else use this to refresh end-user
certs?
>
> Simon McMahon
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
