On 19/05/11 10:44, Tim Watts wrote:
Hi folks,
I'm setting up a new CA/SSL infrastructure for work - the CA is self
signed and all SSL certs (mostly server certs rather than client certs)
will be signed off against this CA.
Thanks for all your help - I've managed something that incorporates all
the corrections mentioned here, which have proven invaluable.
One further question through:
Is this the correct incantation for renewing a cert (ie resigning with a
new end date):
#revoke original
openssl ca -extensions server_cert -config blah.cnf
-cert certs/CA.crt -keyfile certs/CA.key
-revoke certs/www.example.com.crt
# sign a new cert from the *original* CSR
openssl ca -extensions server_cert -config blah.cnf
-cert certs/CA.crt -keyfile certs/CA.key
-days 1000 -in certs/www.example.com.csr
-out certs/www.example.com.crt
From what I understand, I only need to put the new cert on the server
in question - the corresponding key remains untouched?
TIA
Cheers,
Tim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org