Re: add extension to an existing (signed) CA certificate

Wed, 26 Aug 2009 10:18:42 -0700 

On 08/26/2009 04:24 PM, Peter Sylvester wrote:

Jehan PROCACCIA wrote:

Le 26/08/2009 12:17, Peter Sylvester a écrit :



OK, then how do I re-issue my root CA certificate with my already 
existing ca.key ?

If I could have a sample commande line for openssl it would help me .

something like


OPENSSL x509 -set_serial $SERIAL -clrext -extfile CA-EXTENSION.prm 
-days $DURATION  -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in 
$PREFIX-ca.crt -out $PREFIX-ca.der -outform der -sha256



thanks for the sample command line, howerver I don't get it clearly ...
what are $CAPREFIX-ca.cacert and $PREFIX-ca.crt !?
the -extfile CA-EXTENSION.prm could be a localy modified openssl.cnf ?

then the -clrext isn't clear to me "delete extensions before signing 
and input certificate", in the 1st place , I do want to add 
extensions, why ask openssl to delete them !?


All $things are "variables":
$PREFIX is the cert that you want to modify  (a copy or your root cert)

$CAPREFIX the key (and cert) you want to sign with (cert is used to 
become issuer), agin your root cert and key.



CA_EXTENSION.prm is a complete set of extension that you want to have 
with the initial

section containing extensions=whateverlistofextensions.


The original input cert contains extensions, they are "ignored" with 
the -clrext.

Only the extensions from the config file are taken.

Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and 
$CAPREFIX  it_root_ca.key (PKI private key) .

but here's what I get :

[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]

$ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650 
-CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out 
it_root_ca2.crt

unable to load certificate

4869:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE


did I misunderstood you ?

here's my environement:

[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ ls -l
total 140
drwxrwxr-x 3 pkiitroot pkiitroot 4096 Jul 15 17:59 certs
-rw-rw-r-- 1 pkiitroot pkiitroot    0 Jul 15 18:00 index.txt
-rw-rw-r-- 1 pkiitroot pkiitroot 2858 Jul 15 20:13 it_root_ca.crt
-rw-rw-r-- 1 pkiitroot pkiitroot 3311 Jul 15 20:13 it_root_ca.key
drwxrwxr-x 2 pkiitroot pkiitroot 4096 Jul 15 17:59 newcerts
-rw-r--r-- 1 pkiitroot pkiitroot 9873 Jul 16 03:19 openssl.cnf
drwxrwxr-x 2 pkiitroot pkiitroot 4096 Jul 15 17:59 private
-rw-rw-r-- 1 pkiitroot pkiitroot    3 Jul 15 18:00 serial

$ rpm -q openssl
openssl-0.9.8b-8.3.el5_0.2


Thanks .


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to