...a bit naive I know, but I'd rather be safe than regret it a week later ;-)
We have an existing internal CA designed around a OpenSSL 0.9.5 signed CA (obviously we're using a newer release of OpenSSL now - but the CA cert was created under 0.9.5). It's all working well - until now. We have found that we cannot sign certs created by Cisco IOS - well it can - but then the Cisco refuses to use it. Upon talking to Cisco, they say it's because our CA has a Serial number of "0" - which is illegal(!?). They said this was a known bug in OpenSSL that was fixed in a later release... Anyway, if all that is true, I'd like to simply re-create the CA cert under a newer OpenSSL release - using the existing private key and serial number 1 - which for some reason is actually available (the first signed cert starts at 2 - don't know why!). If I do that (i.e. "openssl req -key "existing.key" -x509 -new ..."), will it break the existing infrastructure? I've gone as far as creating the new CA public key/"root cert", and diff'ing it against the old signed cert just shows different serial number, dates and some signature hexes look different. I mean, the public key created from the private key looks identical to the old public key, so existing (old) HTTPS web servers that only accept connections from client certs signed by our (old) CA should happily accept client certs signed by our (new) CA? What about CRL? We make extensive use of CRL to ensure only valid certs are accepted, so I'm worried about that breaking. I pretty sure that is doable - I'm just worried there are know bugs/issues around this that may sting me a week/month later... Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]