Re: [openssl-users] certificate renewal without restarting processes
> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users >wrote: > >> It uses SSL_CTX_use_certificate_chain_file in some places and in other places >> it uses PEM_read_bio_X509 >> >> When these APIs are used, can the OpenSSL stack detect updated files on >> disk and reload them without any intervention from the application? > > No, it's a load and use the current contents. > > You can call them multiple times; the old content will be removed and new > content reloaded. I doubt this is safe in multi-threaded applications. The only way to do this safely in that situation is to create a new SSL_CTX with the new certificate chain, and arrange for *new* connections to use the new context, while existing connections continue to use the old context. It is possible to call SSL_CTX_free() on the old context even while it is in use, since the object is reference counted and will be finally freed by the last thread to release the object. However, care is required to avoid a race against new threads starting to still use the old context. So some sort of memory barrier is needed to ensure that the only the new context is used to start new connections before calling SSL_CTX_free() on the old. In practice you need some sort of lock that supports shared and exclusive access around whatever structure encapsulates the updatable SSL_CTX: worker thread: acquire read lock use current SSL_CTX to call SSL_new() release read lock update thread: acquire write lock: SSL_CTX_free current context set new context as current context release write lock -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] certificate renewal without restarting processes
> It uses SSL_CTX_use_certificate_chain_file in some places and in other places > it uses PEM_read_bio_X509 > > When these APIs are used, can the OpenSSL stack detect updated files on > disk and reload them without any intervention from the application? No, it's a load and use the current contents. You can call them multiple times; the old content will be removed and new content reloaded. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] certificate renewal without restarting processes
Hi, The reSIProcate project is using OpenSSL to load[1] certificates and private keys. It uses SSL_CTX_use_certificate_chain_file in some places and in other places it uses PEM_read_bio_X509 When these APIs are used, can the OpenSSL stack detect updated files on disk and reload them without any intervention from the application? If not, is there any alternative API function that can do that? If it can't be done within OpenSSL, what is the right way for the application developer to go about it? Can those methods simply be called again when a file has been updated, or is any cleanup needed before trying to load the new cert? Regards, Daniel 1. https://github.com/resiprocate/resiprocate/blob/master/resip/stack/ssl/Security.cxx#L386 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: Regarding Certificate renewal
Ho there, from the technical perspective (which is the thing this list is concerned with) a renewed certificate is a new certificate for the same keys as the old one. No step of the three you list as necessary is necessary from the openssl point of view, but may be required by your CA. The data contained in the renewed certificate, beside the public part of the key, is completely up to the issuing CA and usually laid down in their policies. So, you should address your questions to the CA you want to get your certificates from. If you are implementing your own CA, you have to decide what you want to do. Or was your question about best practices when creating a CA policy? Hope this helps at least a bit, Ted ;) Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan: Hello guys, I would like to know whether my understanding about certificate renewal is correct or not. To renew the certificate: 1. we need to generate a new CSR from the private key 2. revoke the old certificate 3. get the new CSR signed by the CA with validity extended The fields that are common between old and new renewed certificate will be: 1. SKI 2. AKI 3. Issuer 4. Public Key The fields are not be common are: 1. subject (I see that while generating new CSR we can change the subject) 2. Serial number 3. Other fields Please share your inputs on this. Thanks Kamalraj -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Regarding Certificate renewal
Hello Ted, In our application we have requirement to introduce new option which allows customers to renew their certificates which was installed in it already. We would like to find out whether the new certificate is really a renewal certificate of old one so that we can allow them to replace the old one with new one. So to find out the match we decided to use fields (Issuer Or subject) And Serial number. But when I used openssl to create renew certificate as in the steps I mentioned already I see that the subject can be altered and serial number is different. From your mail I understand that other than public key, any field can be different or same based on the CA that customer uses. We have many customers across globe and they get their certificates signed and renewed by many CA in market. So my conclusion, is its up to us to decide now on choosing match fields. Let me know if I am missing something. Thanks Kamalraj On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich t...@convey.de wrote: Ho there, from the technical perspective (which is the thing this list is concerned with) a renewed certificate is a new certificate for the same keys as the old one. No step of the three you list as necessary is necessary from the openssl point of view, but may be required by your CA. The data contained in the renewed certificate, beside the public part of the key, is completely up to the issuing CA and usually laid down in their policies. So, you should address your questions to the CA you want to get your certificates from. If you are implementing your own CA, you have to decide what you want to do. Or was your question about best practices when creating a CA policy? Hope this helps at least a bit, Ted ;) Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan: Hello guys, I would like to know whether my understanding about certificate renewal is correct or not. To renew the certificate: 1. we need to generate a new CSR from the private key 2. revoke the old certificate 3. get the new CSR signed by the CA with validity extended The fields that are common between old and new renewed certificate will be: 1. SKI 2. AKI 3. Issuer 4. Public Key The fields are not be common are: 1. subject (I see that while generating new CSR we can change the subject) 2. Serial number 3. Other fields Please share your inputs on this. Thanks Kamalraj -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Regarding Certificate renewal
Am 21.01.2014 11:21, schrieb Kamalraj Madhurakasan: Hello Ted, In our application we have requirement to introduce new option which allows customers to renew their certificates which was installed in it already. We would like to find out whether the new certificate is really a renewal certificate of old one so that we can allow them to replace the old one with new one. So to find out the match we decided to use fields (Issuer Or subject) And Serial number. But when I used openssl to create renew certificate as in the steps I mentioned already I see that the subject can be altered and serial number is different. From your mail I understand that other than public key, any field can be different or same based on the CA that customer uses. We have many customers across globe and they get their certificates signed and renewed by many CA in market. So my conclusion, is its up to us to decide now on choosing match fields. Let me know if I am missing something. Now, I don't know the details of your software, but I'd advise to use the subject fields (maybe only some of them) to identify the customer. Though there's no guarantee, my guess is that in most renewed certificates the subject won't change... Also you'll catch those customers who'll want to use new keys. Same issuer makes some sense, because usually another CA will have more or less subtle differences in the subject fields. Of course you'll never get 100% of all renewed certificates, but a good percentage should be possible. I'd not restrict identification to the same public key, because that's only a technical detail, but has no intrinsic connection to the person who uses it. The serial number is definitively useless for your purpose. All this has not much to do with openssl, so maybe we should move to private discussion if you still have questions. And maybe I should think about consulting charges... :-) Hope this helps, Ted Thanks Kamalraj On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich t...@convey.de mailto:t...@convey.de wrote: Ho there, from the technical perspective (which is the thing this list is concerned with) a renewed certificate is a new certificate for the same keys as the old one. No step of the three you list as necessary is necessary from the openssl point of view, but may be required by your CA. The data contained in the renewed certificate, beside the public part of the key, is completely up to the issuing CA and usually laid down in their policies. So, you should address your questions to the CA you want to get your certificates from. If you are implementing your own CA, you have to decide what you want to do. Or was your question about best practices when creating a CA policy? Hope this helps at least a bit, Ted ;) Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan: Hello guys, I would like to know whether my understanding about certificate renewal is correct or not. To renew the certificate: 1. we need to generate a new CSR from the private key 2. revoke the old certificate 3. get the new CSR signed by the CA with validity extended The fields that are common between old and new renewed certificate will be: 1. SKI 2. AKI 3. Issuer 4. Public Key The fields are not be common are: 1. subject (I see that while generating new CSR we can change the subject) 2. Serial number 3. Other fields Please share your inputs on this. Thanks Kamalraj -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
Regarding Certificate renewal
Hello guys, I would like to know whether my understanding about certificate renewal is correct or not. To renew the certificate: 1. we need to generate a new CSR from the private key 2. revoke the old certificate 3. get the new CSR signed by the CA with validity extended The fields that are common between old and new renewed certificate will be: 1. SKI 2. AKI 3. Issuer 4. Public Key The fields are not be common are: 1. subject (I see that while generating new CSR we can change the subject) 2. Serial number 3. Other fields Please share your inputs on this. Thanks Kamalraj
Certificate renewal
Hi, My apologies for a slightly off-topic question. When certificates are renewed in most scenarios, is it usual to generate a new RSA key pair or would a client re-use the existing keys and just ask for a new certificate with those keys? Thanks for any guidance or pointers... Regards, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate renewal
Hi, RFC 3647 defines certificte renewal as follows: Certificate renewal means the issuance of a new certificate to the subscriber without changing the subscriber or other participant's public key or any other information in the certificate. http://www.faqs.org/rfcs/rfc3647.html (section 4.4.6) Best regards, Arsen. On Thu, 30 Jul 2009, carlyo...@keycomm.co.uk wrote: Hi, My apologies for a slightly off-topic question. When certificates are renewed in most scenarios, is it usual to generate a new RSA key pair or would a client re-use the existing keys and just ask for a new certificate with those keys? Thanks for any guidance or pointers... Regards, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem with OIDs during CA root certificate renewal
Hello, I have a problem with OIDs during CA root certificate renewal. I am using openssl 0.9.6b. I've performed the following steps: 1) Converting existing certificate to CSR: openssl x509 -x509toreq -in old_cert.pem -signkey PrivKey.pem -out careq.csr 2)Signing the request with existing private key. openssl x509 -req -days 333 -extfile openssl.cnf -extensions v3_ca -signkey PrivKey.pem -in careq.csr -out cacert.pem I've tried two options in openssl.cnf file. In either cases I've got an error when executed the second command. * First option: oid_section=new_oids [ new_oids ] AOID=a.b.c.d.e.f.g BOID=${AOID}.h COID=${BOID}.i.j.k [ policy01 ] policyIdentifier=COID [ v3_ca ] ... certificatePolicies=ia5org, @policy01 ... I've got: Error Loading extension section v3_ca 487:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\ identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:COID 487:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01 * Second option: [ policy01 ] policyIdentifier=a.b.c.d.e.f.g.h.i.j.k [ v3_ca ] ... certificatePolicies=ia5org, @policy01 ... I've got: Error Loading extension section v3_ca 491:error:0D06B089:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:130: 491:error:0D081065:asn1 encoding routines:d2i_ASN1_OBJECT:bad object header:a_object.c:217: 491:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\ identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:a.b.c.d.e.f.g.h.i.j.k 491:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01 How can I address this issue? Thank you in advance, Arsen. -- PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03) Fingerprint: 1C3B 2C01 40DF ED87 23B1 BF6F 95C4 2E77 BBE3 DFD8 smime.p7s Description: S/MIME Cryptographic Signature
Re: certificate renewal with openSSL
Nobody answered me this one... I will have to try to revocate a certificate to see if I can add it later However, most root CA, keep old certificates as valid, because it takes some time to install a new certificate on a machine... Cheers On 14 Nov 2001 12:29:30 -0500, POLIVKA-ROHRER, KEITH W. (AIT) wrote: Did anybody answer this question? Or do you have to just grep -v the index.txt file to get rid of the offending DN? Keith Keith Polivka-Rohrer CBR - Customer Billing Relationships Specialist, Server Development Phone: 847-898-2841 Fax: 847-898-2544
Re: Certificate Renewal
On Wed, 7 Feb 2001, John Douglass wrote: Is anyone playing around with certificate renewals? I'm trying to figure out how to accomplish this given: 1) Certificate is installed in the browser already 2) I have the certificate (SPKAC) file on the CA 3) I have the signed public key on the CA In order to "renew" do I: A) Need to "resign" the SPKAC request or B) Apply modification of the signed public key (with the appropriate commands, then cat to the browser) and update the "index.txt" file that OpenSSL uses? I was originally attempting to revoke, resign the SPKAC file faking the "serial" number, but OpenSSL didn't like that. :) I think I figured it out. I just need to resign the SPKAC file and then cat that to netscape. It does the pairing up with the private key. Netscape automatically selects the latest certificate associated with the key. However the browser does have record of the OLD signed key (which you can view/delete at will). There is a new serialnumber associated with the certificate but the old serial will be expired soon at any rate. Since we're not doing Digital Signature or S/MIME with our certs, this will probably work for us. I'll have to test the S/MIME behaviour at a later date to see if this method of renewal still allows for the encrypted info to be read. If anyone has a better suggestion or more experience than I, I'd love the correction in my implementation. - JohnD, Georgia Tech __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Hi, This solution was interesting but it seems that I need the private key of the user certificate to sign the request (and unfortunately it was created and stored in the client browser). openssl x509 -x509toreq -in cert.pem -out req.pem Getting request Private Key no request key file specified It seems I have no other choice but to keep the request files to renew certs. Maxime. Maybe you can also try to generate a new request from an expired cert. openssl x509 -x509toreq I think renewal is interesting because [...] It's always a matter of your local policy. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Maxime Dubois wrote: This solution was interesting but it seems that I need the private key of the user certificate to sign the request Yes, my fault. Use the old cert request. You should store them for auditing reasons anyway. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Thanks So I need to keep request files as I keep cert files... I think renewal is interesting because we don't think the validity period of certs is determined by their weakness but by an internal policy of users and CRL management. In an organisation delivering certificates to its members, we don't know how long they will stay there and so can't deliver long-time certs. So the renewal has some long-term benefits for users (e.g when using secure mail). Regards. Maxime Maxime Dubois wrote: I generate user certificates with IE and Netscape by using Xenroll dll and Keygen, I want to know if I can renew a certificate: revoke the old one but generate a new certificate for the SAME key pair. If you store the certificate requests (SPKAC in case of Netscape Navigator or PKCS#10 in case of M$ IE) you can issue new certificates for the same key pair later. But think again if certificate renewals make sense. It depends on your security considerations. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Maxime Dubois wrote: So I need to keep request files as I keep cert files... Maybe you can also try to generate a new request from an expired cert. openssl x509 -x509toreq I think renewal is interesting because [...] It's always a matter of your local policy. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Radovan Semancik wrote: And what about the certificate serial number. It will be changed or stays same? User will download a renewed certificate just as a "original" one? Won't Netscape complaint about duplicate certificate? No, the serial number is different. Netscape will correctly import it and recognize it is the same certificate (try to display it and you'll get an idea of what I am saying). C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Certificate renewal
[EMAIL PROTECTED] wrote: Radovan Semancik wrote: Hi! Maybe this is FAQ or even OT, but anyway: How is certificate renewal done? I mean the case, that user's certificate expired and she wants a new one. User sends a new CSR? How does CA handle it? And how about serial number, I don't think it will be the same for expired and renewed certificate. Is that the case? TIA To renew a certificate you don't have to resend a Request to the CSP - at least Netscape don't support it (AFAIK) - simply the CSP should have kept a copy of your original request and issue a new certificate with a new validity period. This almost depends on the crypto layer you are using and policies you are following. If you simply renew the same key-pair just use the old request, but keep in mind that it is a good policy to renew all keys in a 2 years period... And what about the certificate serial number. It will be changed or stays same? User will download a renewed certificate just as a "original" one? Won't Netscape complaint about duplicate certificate? -- Ing. Radovan Semancik ([EMAIL PROTECTED]) System Engineer, Business Global Systems a.s. http://storm.alert.sk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Radovan Semancik wrote: Hi! Maybe this is FAQ or even OT, but anyway: How is certificate renewal done? I mean the case, that user's certificate expired and she wants a new one. User sends a new CSR? How does CA handle it? And how about serial number, I don't think it will be the same for expired and renewed certificate. Is that the case? TIA To renew a certificate you don't have to resend a Request to the CSP - at least Netscape don't support it (AFAIK) - simply the CSP should have kept a copy of your original request and issue a new certificate with a new validity period. This almost depends on the crypto layer you are using and policies you are following. If you simply renew the same key-pair just use the old request, but keep in mind that it is a good policy to renew all keys in a 2 years period... C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Certificate renewal
Hi! Maybe this is FAQ or even OT, but anyway: How is certificate renewal done? I mean the case, that user's certificate expired and she wants a new one. User sends a new CSR? How does CA handle it? And how about serial number, I don't think it will be the same for expired and renewed certificate. Is that the case? TIA -- Ing. Radovan Semancik ([EMAIL PROTECTED]) System Engineer, Business Global Systems a.s. http://storm.alert.sk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate renewal
Hi, Does anyone know how to renew certificate? I tried: openssl x509 -x509toreq -in cert_file -out csr_file -signkey CA_private_key but the signature of the created csr_file is incorrect. Does the 'ca' package have renew function? In addition, I can't sign certs with same dn but non-overlapped valid period (I use the -startdate option). Also, the ssleay.doc said index.txt has a status 'E' for expiry. How can I activate it? Does it matter? Rgds. Martin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate renewal with MSIE 5
I'm having difficulty to install a new certificate after a certificate renewal w/ MSIE 5. Our certification authority have been tested during some time, now we have generated new CA's key pairs. In fact MSIE doesn't "refresh" the new certificate. (Same tests with Communicator 4.61 works fine ;-) Thanks Miguel Angel __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]