Okay, thanks for all the information, here's what I did and what will go into
testing:
-Recreated a CSR from the root CA cert using
openssl x509 -x509toreq -in cacert.crt -signkey cakey.key -sha1 -out newcert.csr
Set the system date back to the startday of the old root cert
Recreated the CA cert
openssl req -in newcert.csr -key cakey.key -x509 -days blablabla -out ca_new.crt
So far this looks promising, the serial number is fresh, the startdate to
enddate range includes all my existing certs and I hope that this is the end.
Thanks,
Stephan
Gesendet: Dienstag, 15. April 2014 um 22:28 Uhr
Von: Kyle Hamilton aerow...@gmail.com
An: openssl-users openssl-users@openssl.org
Betreff: Re: Re: Converting a root certificate from md5 to sha1
Stephan,
It depends on how pedantic your clients are. If you aren't rekeying,
it shouldn't matter, though.
X.509 has a Subject and an Issuer. The Issuer of a certificate is
the Subject of the certificate which private key was used to sign it.
If the Issuer doesn't change, then the matching algorithm doesn't
change at all.
However, the answer is always going to be test the clients in your
environment. There are a *lot* of options, a *lot* of things that
can potentially get screwed up, and there's no way to make a blanket
statement without caveat.
The problem with that command, though, is that it doesn't change the
serial number, or the signing algorithm claimed in the main
certificate. Anything which pedantically enforces the rule that the
signing algorithm claimed in the TbsCertificate MUST match the signing
algorithm in the Certificate is going to fail. (I think I saw a root
certificate from Boeing which failed that particular test.)
As always, your mileage may vary. The proper way to do this is to
create a new certificate request with the appropriate information, and
then sign it, but OpenSSL makes that difficult.
-Kyle H
On Tue, Apr 15, 2014 at 6:54 AM, steff...@gmx.de wrote:
You need to generate a new certificate with the same data (except a
different serial number and a reference to sha1WithRSAEncryption),
containing the same public key, and signed with the same private key.
I'd recommend sha256WithRSAEncryption, but that's possibly not an
option for you.
Make sure that you do not reuse the same serial number, it *will*
cause problems (particularly for such software as Firefox, but also
for anything that's written in an X.509-pedantic mode).
-Kyle H
Okay, thanks. Would this mean that I need to replace the old root cert with
the new one on all clients ? I have certificates that are already in use and
the new root cert would have a start date of today, wouldn't it confuse the
client when the start date of the cert is older than that of the root cert ?
Also I managed to convert the existing root cert from md5 to sha1 with
openssl x509 -sha1 -inform pem -outform pem -in cacert.pem -out
cacertsha1.pem -signkey cakey.pem
this recreates the cert with sha1 but it also resets the startdate to now.
I tried using -startdate and -enddate but openssl moans that it doesn't
recognize the date as option. I tried 'Jan 01 10:37:30 2014 GMT' as well as
the YYMMDDHHMMSSZ, both don't work.
Thanks,
Stephan
On Tue, Apr 15, 2014 at 1:41 AM, steff...@gmx.de wrote:
Hello world,
I am running my own little CA and the root certificate was created using
md5:
Signature Algorithm: md5WithRSAEncryption
I need to change this do sha1 because I have clients that do not accept md5
anymore. Is there any way to convert the existing cert from md5 to sha1 ? I
tried converting it to another format and then reimporting it using -sha1
but this doesn't work.
Thanks,
Stephan
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org[http://www.openssl.org]
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
