Re: [openssl-users] certificate renewal without restarting processes

[Viktor Dukhovni]

> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users 
>  wrote:
> 
>> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
>> it uses PEM_read_bio_X509
>> 
>> When these APIs are used, can the OpenSSL stack detect updated files on
>> disk and reload them without any intervention from the application?
> 
> No, it's a load and use the current contents.
> 
> You can call them multiple times; the old content will be removed and new 
> content reloaded.

I doubt this is safe in multi-threaded applications.  The only way to
do this safely in that situation is to create a new SSL_CTX with the
new certificate chain, and arrange for *new* connections to use the new
context, while existing connections continue to use the old context.

It is possible to call SSL_CTX_free() on the old context even while
it is in use, since the object is reference counted and will be finally
freed by the last thread to release the object.  However, care is required
to avoid a race against new threads starting to still use the old context.
So some sort of memory barrier is needed to ensure that the only the new
context is used to start new connections before calling SSL_CTX_free() on
the old.  In practice you need some sort of lock that supports shared and
exclusive access around whatever structure encapsulates the updatable
SSL_CTX:

   worker thread:
acquire read lock
use current SSL_CTX to call SSL_new()
release read lock

   update thread:
acquire write lock:
SSL_CTX_free current context
set new context as current context
release write lock

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] certificate renewal without restarting processes

[Salz, Rich via openssl-users]

> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
> it uses PEM_read_bio_X509
> 
> When these APIs are used, can the OpenSSL stack detect updated files on
> disk and reload them without any intervention from the application?

No, it's a load and use the current contents.

You can call them multiple times; the old content will be removed and new 
content reloaded.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] certificate renewal without restarting processes

[Daniel Pocock]

Hi,

The reSIProcate project is using OpenSSL to load[1] certificates and
private keys.

It uses SSL_CTX_use_certificate_chain_file in some places and in other
places it uses PEM_read_bio_X509

When these APIs are used, can the OpenSSL stack detect updated files on
disk and reload them without any intervention from the application?

If not, is there any alternative API function that can do that?

If it can't be done within OpenSSL, what is the right way for the
application developer to go about it?  Can those methods simply be
called again when a file has been updated, or is any cleanup needed
before trying to load the new cert?

Regards,

Daniel



1.
https://github.com/resiprocate/resiprocate/blob/master/resip/stack/ssl/Security.cxx#L386
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: Regarding Certificate renewal

[Bernhard Fröhlich]

Ho there,

from the technical perspective (which is the thing this list is 
concerned with) a renewed certificate is a new certificate for the 
same keys as the old one. No step of the three you list as necessary is 
necessary from the openssl point of view, but may be required by your CA.


The data contained in the renewed certificate, beside the public part 
of the key, is completely up to the issuing CA and usually laid down in 
their policies.


So, you should address your questions to the CA you want to get your 
certificates from. If you are implementing your own CA, you have to 
decide what you want to do.

Or was your question about best practices when creating a CA policy?

Hope this helps at least a bit,
Ted
;)

Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

Hello guys,

I would like to know whether my understanding about certificate 
renewal is correct or not.


To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed certificate 
will be:


1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj



--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Regarding Certificate renewal

[Kamalraj Madhurakasan]

Hello Ted,

In our application we have requirement to introduce new option which allows
customers to renew their certificates which was installed in it already.

We would like to find out whether the new certificate is really a renewal
certificate of old one so that we can allow them to replace the old one
with new one.

So to find out the match we decided to use fields (Issuer Or subject) And
Serial number. But when I used openssl to create renew certificate as in
the steps I mentioned already I see that the subject can be altered and
serial number is different.

From your mail I understand that other than public key, any field can be
different or same based on the CA that customer uses. We have many
customers across globe and they get their certificates signed and renewed
by many CA in market.

So my conclusion, is its up to us to decide now on choosing match fields.
Let me know if I am missing something.

Thanks
Kamalraj



On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich t...@convey.de wrote:

 Ho there,

 from the technical perspective (which is the thing this list is concerned
 with) a renewed certificate is a new certificate for the same keys as the
 old one. No step of the three you list as necessary is necessary from the
 openssl point of view, but may be required by your CA.

 The data contained in the renewed certificate, beside the public part of
 the key, is completely up to the issuing CA and usually laid down in their
 policies.

 So, you should address your questions to the CA you want to get your
 certificates from. If you are implementing your own CA, you have to decide
 what you want to do.
 Or was your question about best practices when creating a CA policy?

 Hope this helps at least a bit,
 Ted
 ;)

 Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

  Hello guys,

 I would like to know whether my understanding about certificate renewal
 is correct or not.

 To renew the certificate:

 1. we need to generate a new CSR from the private key
 2. revoke the old certificate
 3. get the new CSR signed by the CA with validity extended

 The fields that are common between old and new renewed certificate will
 be:

 1. SKI
 2. AKI
 3. Issuer
 4. Public Key

 The fields are not be common are:

 1. subject (I see that while generating new CSR we can change the subject)
 2. Serial number
 3. Other fields

 Please share your inputs on this.

 Thanks
 Kamalraj



 --
 PGP Public Key Information
 Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
 Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: Regarding Certificate renewal

[Bernhard Fröhlich]

Am 21.01.2014 11:21, schrieb Kamalraj Madhurakasan:

Hello Ted,

In our application we have requirement to introduce new option which 
allows customers to renew their certificates which was installed in it 
already.


We would like to find out whether the new certificate is really a 
renewal certificate of old one so that we can allow them to replace 
the old one with new one.


So to find out the match we decided to use fields (Issuer Or subject) 
And Serial number. But when I used openssl to create renew certificate 
as in the steps I mentioned already I see that the subject can be 
altered and serial number is different.


From your mail I understand that other than public key, any field can 
be different or same based on the CA that customer uses. We have many 
customers across globe and they get their certificates signed and 
renewed by many CA in market.


So my conclusion, is its up to us to decide now on choosing match 
fields. Let me know if I am missing something.


Now, I don't know the details of your software, but I'd advise to use 
the subject fields (maybe only some of them) to identify the customer. 
Though there's no guarantee, my guess is that in most renewed 
certificates the subject won't change... Also you'll catch those 
customers who'll want to use new keys. Same issuer makes some sense, 
because usually another CA will have more or less subtle differences in 
the subject fields.
Of course you'll never get 100% of all renewed certificates, but a 
good percentage should be possible.


I'd not restrict identification to the same public key, because that's 
only a technical detail, but has no intrinsic connection to the person 
who uses it. The serial number is definitively useless for your purpose.


All this has not much to do with openssl, so maybe we should move to 
private discussion if you still have questions. And maybe I should think 
about consulting charges... :-)


Hope this helps,
Ted


Thanks
Kamalraj



On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich t...@convey.de 
mailto:t...@convey.de wrote:


Ho there,

from the technical perspective (which is the thing this list is
concerned with) a renewed certificate is a new certificate for
the same keys as the old one. No step of the three you list as
necessary is necessary from the openssl point of view, but may be
required by your CA.

The data contained in the renewed certificate, beside the public
part of the key, is completely up to the issuing CA and usually
laid down in their policies.

So, you should address your questions to the CA you want to get
your certificates from. If you are implementing your own CA, you
have to decide what you want to do.
Or was your question about best practices when creating a CA policy?

Hope this helps at least a bit,
Ted
;)

Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

Hello guys,

I would like to know whether my understanding about
certificate renewal is correct or not.

To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed
certificate will be:

1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change
the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj



-- 
PGP Public Key Information

Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
mailto:openssl-users@openssl.org
Automated List Manager majord...@openssl.org
mailto:majord...@openssl.org





--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Regarding Certificate renewal

[Kamalraj Madhurakasan]

Hello guys,

I would like to know whether my understanding about certificate renewal is
correct or not.

To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed certificate will be:

1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj

Certificate renewal

[carlyoung]

Hi,

My apologies for a slightly off-topic question. When certificates are renewed 
in most scenarios, is it usual to generate a new RSA key pair or would a client 
re-use the existing keys and just ask for a new certificate with those keys?

Thanks for any guidance or pointers...

Regards,

Carl


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Certificate renewal

[Arsen Hayrapetyan]

Hi,

RFC 3647 defines certificte renewal as follows:
Certificate renewal means the issuance of a new certificate to the subscriber 
without changing the
subscriber or other participant's public key or any other information in 
the certificate.


http://www.faqs.org/rfcs/rfc3647.html (section 4.4.6)

Best regards,
Arsen.

On Thu, 30 Jul 2009, carlyo...@keycomm.co.uk wrote:


Hi,

My apologies for a slightly off-topic question. When certificates are renewed 
in most scenarios, is it usual to generate a new RSA key pair or would a client 
re-use the existing keys and just ask for a new certificate with those keys?

Thanks for any guidance or pointers...

Regards,

Carl


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Problem with OIDs during CA root certificate renewal

[Arsen Hayrapetyan]

Hello,
I have a problem with OIDs during CA root certificate renewal.
I am using openssl 0.9.6b.
I've performed the following steps:
1) Converting existing certificate to CSR:
openssl x509 -x509toreq -in old_cert.pem -signkey PrivKey.pem -out careq.csr

2)Signing the request with existing private key.
openssl x509 -req -days 333 -extfile openssl.cnf -extensions v3_ca
-signkey PrivKey.pem -in careq.csr -out cacert.pem

I've tried two options in openssl.cnf file. In either cases I've got an
error when executed the second command.

* First option:

oid_section=new_oids

[ new_oids ]
AOID=a.b.c.d.e.f.g
BOID=${AOID}.h
COID=${BOID}.i.j.k

[ policy01 ]
policyIdentifier=COID

[ v3_ca ]
...
certificatePolicies=ia5org, @policy01
...

I've got:
Error Loading extension section v3_ca
487:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\
identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:COID
487:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01

* Second option:

[ policy01 ]
policyIdentifier=a.b.c.d.e.f.g.h.i.j.k

[ v3_ca ]
...
certificatePolicies=ia5org, @policy01
...

I've got:

Error Loading extension section v3_ca
491:error:0D06B089:asn1 encoding routines:ASN1_get_object:too
long:asn1_lib.c:130:
491:error:0D081065:asn1 encoding routines:d2i_ASN1_OBJECT:bad object
header:a_object.c:217:
491:error:2208306E:X509 V3 routines:POLICY_SECTION:invalid object\
identifier:v3_cpols.c:159:section:policy01,name:policyIdentifier,value:a.b.c.d.e.f.g.h.i.j.k
491:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:91:name=certificatePolicies,\ value=ia5org, @policy01

How can I address this issue?
Thank you in advance,
Arsen.

-- 
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1  BF6F 95C4 2E77 BBE3 DFD8



smime.p7s
Description: S/MIME Cryptographic Signature

Re: certificate renewal with openSSL

[Franck Martin]

Nobody answered me this one...

I will have to try to revocate a certificate to see if I can add it later

However, most root CA, keep old certificates as valid, because it takes some time to install a new certificate on a machine...

Cheers

On 14 Nov 2001 12:29:30 -0500, POLIVKA-ROHRER, KEITH W. (AIT) wrote: Did anybody answer this question?  Or do you have to just grep -v the
 index.txt file to get rid of the offending DN?
 
 	Keith
 
 Keith Polivka-Rohrer
 CBR - Customer Billing Relationships
 Specialist, Server Development
 Phone: 847-898-2841
 Fax: 847-898-2544 

Re: Certificate Renewal

[John Douglass]

On Wed, 7 Feb 2001, John Douglass wrote:

 Is anyone playing around with certificate renewals?
 
 I'm trying to figure out how to accomplish this given:
 
 1) Certificate is installed in the browser already
 2) I have the certificate (SPKAC) file on the CA
 3) I have the signed public key on the CA
 
 In order to "renew" do I:
 
 A) Need to "resign" the SPKAC request 
 
 or 
 
 B) Apply modification of the signed public key (with the appropriate
   commands, then cat to the browser) and update the "index.txt" 
   file that OpenSSL uses?
 
 I was originally attempting to revoke, resign the SPKAC file
 faking the "serial" number,  but OpenSSL didn't like that.
 
 :)

I think I figured it out. I just need to resign the SPKAC
file and then cat that to netscape. It does the pairing
up with the private key. Netscape automatically selects the
latest certificate associated with the key. However the browser
does have record of the OLD signed key (which you can view/delete
at will). There is a new serialnumber associated with the certificate
but the old serial will be expired soon at any rate.

Since we're not doing Digital Signature or S/MIME with our certs,
this will probably work for us. I'll have to test the
S/MIME behaviour at a later date to see if this method of renewal
still allows for the encrypted info to be read.

If anyone has a better suggestion or more experience than I, I'd
love the correction in my implementation.

- JohnD, Georgia Tech

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Maxime Dubois]

Hi,

This solution was interesting but it seems that I need the private key of
the user certificate to sign the request (and unfortunately it was created
and stored in the client browser).

openssl x509 -x509toreq -in cert.pem -out req.pem
Getting request Private Key
no request key file specified

It seems I have no other choice but to keep the request files to renew
certs.

Maxime.



 Maybe you can also try to generate a new request from an expired
 cert.

 openssl x509 -x509toreq

  I think renewal is interesting because  [...]

 It's always a matter of your local policy.

 Ciao, Michael.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Michael Ströder]

Maxime Dubois wrote:
 
 This solution was interesting but it seems that I need the private key of
 the user certificate to sign the request

Yes, my fault. Use the old cert request.
You should store them for auditing reasons anyway.

Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Maxime Dubois]

Thanks

So I need to keep request files as I keep cert files...

I think renewal is interesting because we don't think the validity period of
certs is determined by their weakness but by an internal policy of users and
CRL management. In an organisation delivering certificates to its members, we
don't know how long they will stay there and so can't deliver long-time
certs. So the renewal has some long-term benefits for users (e.g when using
secure mail).

Regards.
Maxime

 Maxime Dubois wrote:
 
  I generate user certificates with IE and Netscape by using Xenroll dll
  and Keygen, I want to know if I can renew a certificate: revoke the old
  one but generate a new certificate for the SAME key pair.

 If you store the certificate requests (SPKAC in case of Netscape
 Navigator or PKCS#10 in case of M$ IE) you can issue new
 certificates for the same key pair later.

 But think again if certificate renewals make sense. It depends on
 your security considerations.

 Ciao, Michael.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]





__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Michael Ströder]

Maxime Dubois wrote:
 
 So I need to keep request files as I keep cert files...

Maybe you can also try to generate a new request from an expired
cert.

openssl x509 -x509toreq

 I think renewal is interesting because  [...]

It's always a matter of your local policy.

Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Massimiliano Pala]

Radovan Semancik wrote:
 
 And what about the certificate serial number. It will be changed or
 stays same?
 User will download a renewed certificate just as a "original" one? Won't
 Netscape complaint about duplicate certificate?

No, the serial number is different. Netscape will correctly import it
and recognize it is the same certificate (try to display it and you'll
get an idea of what I am saying).

C'you,

Massimiliano Pala ([EMAIL PROTECTED])
 S/MIME Cryptographic Signature

Re: Certificate renewal

[Radovan Semancik]

[EMAIL PROTECTED] wrote:
 
 Radovan Semancik wrote:
 
  Hi!
 
  Maybe this is FAQ or even OT, but anyway:
 
  How is certificate renewal done? I mean the case, that user's
  certificate expired and she wants a new one.
 
  User sends a new CSR? How does CA handle it? And how about serial
  number, I don't think it will be the same for expired and renewed
  certificate. Is that the case?
 
  TIA
 
 To renew a certificate you don't have to resend a Request to the
 CSP - at least Netscape don't support it (AFAIK) - simply the CSP
 should have kept a copy of your original request and issue a new
 certificate with a new validity period. This almost depends on the
 crypto layer you are using and policies you are following.
 
 If you simply renew the same key-pair just use the old request, but
 keep in mind that it is a good policy to renew all keys in a 2 years
 period...

And what about the certificate serial number. It will be changed or
stays same?
User will download a renewed certificate just as a "original" one? Won't
Netscape complaint about duplicate certificate?

-- 
Ing. Radovan Semancik ([EMAIL PROTECTED])
 System Engineer, Business Global Systems a.s.
   http://storm.alert.sk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate renewal

[Massimiliano Pala]

Radovan Semancik wrote:
 
 Hi!
 
 Maybe this is FAQ or even OT, but anyway:
 
 How is certificate renewal done? I mean the case, that user's
 certificate expired and she wants a new one.
 
 User sends a new CSR? How does CA handle it? And how about serial
 number, I don't think it will be the same for expired and renewed
 certificate. Is that the case?
 
 TIA

To renew a certificate you don't have to resend a Request to the
CSP - at least Netscape don't support it (AFAIK) - simply the CSP
should have kept a copy of your original request and issue a new
certificate with a new validity period. This almost depends on the
crypto layer you are using and policies you are following.

If you simply renew the same key-pair just use the old request, but
keep in mind that it is a good policy to renew all keys in a 2 years
period...

C'you,

Massimiliano Pala ([EMAIL PROTECTED])
 S/MIME Cryptographic Signature

Certificate renewal

[Radovan Semancik]

Hi!

Maybe this is FAQ or even OT, but anyway:

How is certificate renewal done? I mean the case, that user's
certificate expired and she wants a new one.

User sends a new CSR? How does CA handle it? And how about serial
number, I don't think it will be the same for expired and renewed
certificate. Is that the case?

TIA

-- 
Ing. Radovan Semancik ([EMAIL PROTECTED])
 System Engineer, Business Global Systems a.s.
   http://storm.alert.sk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

certificate renewal

[Martin Leung]

Hi,

Does anyone know how to renew certificate?  I tried:

openssl x509 -x509toreq -in cert_file -out csr_file -signkey CA_private_key

but the signature of the created csr_file is incorrect.

Does the 'ca' package have renew function?

In addition, I can't sign certs with same dn but non-overlapped valid period (I use 
the -startdate option). Also, the ssleay.doc said index.txt has a status 'E' for 
expiry. How can I activate it? Does it
matter?

Rgds.
Martin

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

certificate renewal with MSIE 5

[Miguel Angel Fraga]

I'm having difficulty to install a new
certificate after a certificate renewal
w/ MSIE 5.
Our certification authority have been
tested during some time, now we have
generated new CA's key pairs.

In fact MSIE doesn't "refresh" the
new certificate.  (Same tests with
Communicator 4.61 works fine ;-)

Thanks
Miguel Angel



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]