Re: Renew/extend CA created with ikectl
Hello Stuart thanks for the reply, already suspected something along those lines. On 12/10/18 7:14 PM, Stuart Henderson wrote: It's a bit awkward but can be done, you'll find some information at https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal You'll need to get the new CA cert installed on clients anyway though (and I don't suppose the client certs have much longer validity either?) so doing the above might not save you much trouble .. In the end I followed doing something along these lines. As we have quite some clients in the field it was easier to get them to add the new CA. I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Not without patching the command-line in ikectl code, or generating the cert manually. It's not ideal.. I would be willing to patch ikectl to contain a ca renew, but would like some 'guidance' concerning sane defaults for this. I'd probably recommend using something else to manage your internal CA (or just avoiding X509 if you don't actually need it...). Any suggestions? We used some other CA management SW over the years but enjoyed the clean and simple approach that ikectl gave us so far. Cheers Kim
Re: Renew/extend CA created with ikectl
On 2018-12-07, Kim Zeitler wrote: > This is a cryptographically signed message in MIME format. > > --ms050605050209090609050606 > Content-Type: text/plain; charset=utf-8; format=flowed > Content-Language: en-GB > Content-Transfer-Encoding: 7bit > > Hello, > > before I start getting creative with openssl(1) on my ikectl(8) created ca. > > Yesterday my ca certificate expired and I need to renew it (without > loosing all the client certificates) > > Is there a recommended way of renewing the ca.crt created using ikectl > ca create? It's a bit awkward but can be done, you'll find some information at https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal You'll need to get the new CA cert installed on clients anyway though (and I don't suppose the client certs have much longer validity either?) so doing the above might not save you much trouble .. > I didn't find anything in the man pages nor on the mailing list. Having > had a look at ikeca.c gave me some idea of how the file is created. > > Also is there a way of having the ca cert valid for more than 365 days? Not without patching the command-line in ikectl code, or generating the cert manually. It's not ideal.. I'd probably recommend using something else to manage your internal CA (or just avoiding X509 if you don't actually need it...).
Renew/extend CA created with ikectl
Hello, before I start getting creative with openssl(1) on my ikectl(8) created ca. Yesterday my ca certificate expired and I need to renew it (without loosing all the client certificates) Is there a recommended way of renewing the ca.crt created using ikectl ca create? I didn't find anything in the man pages nor on the mailing list. Having had a look at ikeca.c gave me some idea of how the file is created. Also is there a way of having the ca cert valid for more than 365 days? Cheers, Kim smime.p7s Description: S/MIME Cryptographic Signature
