RE: Changing the expiry date of a cert
Mark H. Wood wrote: > Further, it won't be a trust root until it's distributed and the > recipients are satisfied that it is legitimate. And I think that's > the real question: > > When my CA's certificate expires, can I update it without having to > deliver copies securely to everyone who is supposed to trust my CA? > > The answer to *that* question had better be "NO". It truly doesn't > matter whether you made a new certificate or updated the old one, > because in either case you must distribute it again in a trustworthy > manner or nobody will trust it. There should be a way to issue an updated root certificate signed by the original root (while it is still valid) such that browsers provide a very simple prompt that strongly encourages you to "update" the certificate. If a root is compromised inside its validity period, you're screwed anyway. Unfortunately, as far as I know, there is no such thing. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
On Wed, Oct 17, 2007 at 08:34:56PM -0700, Jim Fox wrote: > > This was a certificate authority certificate. As such, the renewal has to > have > the same key and DN as the original in order to continue being a CA > for previously signed certificates. Further, it won't be a trust root until it's distributed and the recipients are satisfied that it is legitimate. And I think that's the real question: When my CA's certificate expires, can I update it without having to deliver copies securely to everyone who is supposed to trust my CA? The answer to *that* question had better be "NO". It truly doesn't matter whether you made a new certificate or updated the old one, because in either case you must distribute it again in a trustworthy manner or nobody will trust it. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpBe6yBeomvJ.pgp Description: PGP signature
Re: [openssl-users] Re: Changing the expiry date of a cert
Hodie XVI Kal. Nov. MMVII est, Jim Fox scripsit: > > This was a certificate authority certificate. As such, the renewal has to > have > the same key and DN as the original in order to continue being a CA > for previously signed certificates. You don't have to keep the same key, you just have to keep the same DN. -- Erwann ABALEA <[EMAIL PROTECTED]> - If you never try anything new, you'll miss out on many of life's great disappointments. Demotivators, 2002 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> > "Is it possible to extend the expiry of this certificate > > without changing any other fields in the certificate?" > > > > to which it seems that the answer is > > > > "Yes", > > How could the answer be anything other than yes? All too easily. Because as you ourself point out, such a change would invalidate the signature. And if a new signature is acquired - for all practical purposes it is a new certificate, regardless of how much in common it happens to have with the old one. > Could there > be some mysterious force that compels you to change other fields? I never heard that there was a "minimal change" that was allowed without invalidating the cert. :-) > Or you can argue that the answer is "no", since you have to > at least change the signature and you pretty much have to > change the serial number. Exactly! > And the OP replies: > > > Yes. Thats what I was trying to ask. So, how can > > I change the expiry date of an existing certificate > > without changing any other field ? Is > > there any openssl command that I may use ? > > Did you not read or understand my answer? There is no > difference between changing the date on the old certificate > and issuing a new certificate. If one wants to preserve the old serial number and old signatures - the answer is "no-how, no way". If one wants to have the same cert with a new expiration date - then just get a new cert with that one change (like David described). > Just issue a new certificate the same way you issued the > original one, changing only the expiration date (and the > signature, if you want). Tell everyone you changed the > expiration date on the original, they won't be able to tell > that you're lying. Yes! :-) And how can the signature not be changed? It's a different stream of bits (from the original cert), so it necessarily requires a new (different) signature. > Sorry if this sounds like insane ranting. I'm really > trying to be helpful, but it seems like it didn't sink > in the first time. :-) Let's see how the 2nd iteration goes. :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
This was a certificate authority certificate. As such, the renewal has to have the same key and DN as the original in order to continue being a CA for previously signed certificates. Jim On Oct 17, 2007, at 5:54 PM, David Schwartz wrote: It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" to which it seems that the answer is "Yes", How could the answer be anything other than yes? Could there be some mysterious force that compels you to change other fields? Or you can argue that the answer is "no", since you have to at least change the signature and you pretty much have to change the serial number. And the OP replies: Yes. Thats what I was trying to ask. So, how can I change the expiry date of an existing certificate without changing any other field ? Is there any openssl command that I may use ? Did you not read or understand my answer? There is no difference between changing the date on the old certificate and issuing a new certificate. If you know how to issue a new certificate, you know how to change the date on an existing one because THERE IS NO DIFFERENCE BETWEEN THESE TWO THINGS other than philsophical differences. If you issue a new certificate that is the same as the old except for the serial number, how will anyone know you didn't just change the serial number on the old one? Will they somehow be the same bits and not new bits? IT MAKES NO DIFFERENCE. The question, as asked, is purely philosophical. Just issue a new certificate the same way you issued the original one, changing only the expiration date (and the signature, if you want). Tell everyone you changed the expiration date on the original, they won't be able to tell that you're lying. If you don't know how to or can't issue a new certificate with a new expiration date, then you can't change the expiration date on the old one either. Why? BECAUSE THEY'RE THE SAME THING. They're just two different ways of saying the same thing. If your driver's license expires, you can change the expiration date on the license and reprint it. Or you can get a new license with a new expiration date. The difference is -- wait for it -- nothing at all. It's the same thing. The same procedure to "issue a new license with a new expiration date" can be said to "reissue the original license with a new expiration date". The only thing that makes it "new" or "reissued" is the difference between the two licenses which is just the expiration date! Sorry if this sounds like insane ranting. I'm really trying to be helpful, but it seems like it didn't sink in the first time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> It seems to me that the OP is indeed asking something else entirely > different from the question which you yourself seem to have posed and > then immediately failed to answer. He's asking > > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", How could the answer be anything other than yes? Could there be some mysterious force that compels you to change other fields? Or you can argue that the answer is "no", since you have to at least change the signature and you pretty much have to change the serial number. And the OP replies: > Yes. Thats what I was trying to ask. So, how can I change the > expiry date of an existing certificate without changing any > other field ? Is there any openssl command that I may use ? Did you not read or understand my answer? There is no difference between changing the date on the old certificate and issuing a new certificate. If you know how to issue a new certificate, you know how to change the date on an existing one because THERE IS NO DIFFERENCE BETWEEN THESE TWO THINGS other than philsophical differences. If you issue a new certificate that is the same as the old except for the serial number, how will anyone know you didn't just change the serial number on the old one? Will they somehow be the same bits and not new bits? IT MAKES NO DIFFERENCE. The question, as asked, is purely philosophical. Just issue a new certificate the same way you issued the original one, changing only the expiration date (and the signature, if you want). Tell everyone you changed the expiration date on the original, they won't be able to tell that you're lying. If you don't know how to or can't issue a new certificate with a new expiration date, then you can't change the expiration date on the old one either. Why? BECAUSE THEY'RE THE SAME THING. They're just two different ways of saying the same thing. If your driver's license expires, you can change the expiration date on the license and reprint it. Or you can get a new license with a new expiration date. The difference is -- wait for it -- nothing at all. It's the same thing. The same procedure to "issue a new license with a new expiration date" can be said to "reissue the original license with a new expiration date". The only thing that makes it "new" or "reissued" is the difference between the two licenses which is just the expiration date! Sorry if this sounds like insane ranting. I'm really trying to be helpful, but it seems like it didn't sink in the first time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
On Wed, Oct 17, 2007 at 09:49:15PM +0100, G.W. Haywood wrote: > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", Actually it is "no", because the certificate needs a new signature block. But the more interesting question is what verifiers will make of the new cert, and the answe is that they won't trust it unless reconfigured to do so. > although one might add that the resulting certificate could be viewed > by some as a different certificate. In that case, the next question > would be "Is it valid?", to which the answer would also presumably be > > "Yes". If the signature block is not updated (new cert generated with nearly identical fields), the cert is invalid. If a new valid cert is generated, it is untrusted. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
Yes. Thats what I was trying to ask. So, how can I change the expiry date of an existing certificate without changing any other field ? Is there any openssl command that I may use ? On 10/17/07, G.W. Haywood <[EMAIL PROTECTED]> wrote: > > Hi there, > > On Wed, 17 Oct 2007, David Schwartz wrote: > > > The OP wrote: > > > > > I have a private CA certificate created using openssl command line. > > > The issue is that the certificate expires on 19th Oct, 2007. > > > The question is that "Is it possible to extend the expiry of this > > > certificate without changing any other fields in the certificate?" > > > Basically, I want to continue using this CA Cert to sign end-user > > > certs for a longer time. > > > Any help will be appreciated. Thanks. > > > > This question comes up a lot and I still have no idea what anyone is > asking. > > It seems fairly clear to me. > > > It seems like it's largely a philosophical question, like am I the same > > person I was ten years ago even though only 1% of the molecules are the > > same. > > I don't think the OP asked anything like that. > > > Some might consider the resulting certificate to be the original > certificate > > with a later expiry date. Some might consider it to be a brand new > > certificate that just happens to share some common values with the > previous > > certificate. > > I don't think the OP asked whether it would still be the old certificate > or > if it would be a new certificate. He just asked if he can change the > date, > and only the date, on his existing certificate. > > > What possible difference does it make whether you consider the resulting > > certificate a "new certificate" or "the original certificate with a > later > > expiration date"? > > I don't think, in this thread, that anyone else considered that > difference. > > > Or are you asking something else entirely? And if so, what? > > It seems to me that the OP is indeed asking something else entirely > different from the question which you yourself seem to have posed and > then immediately failed to answer. He's asking > > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", > > although one might add that the resulting certificate could be viewed > by some as a different certificate. In that case, the next question > would be "Is it valid?", to which the answer would also presumably be > > "Yes". > > Have I understood? > > -- > > 73, > Ged. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
RE: Changing the expiry date of a cert
Hi there, On Wed, 17 Oct 2007, David Schwartz wrote: > The OP wrote: > > > I have a private CA certificate created using openssl command line. > > The issue is that the certificate expires on 19th Oct, 2007. > > The question is that "Is it possible to extend the expiry of this > > certificate without changing any other fields in the certificate?" > > Basically, I want to continue using this CA Cert to sign end-user > > certs for a longer time. > > Any help will be appreciated. Thanks. > > This question comes up a lot and I still have no idea what anyone is asking. It seems fairly clear to me. > It seems like it's largely a philosophical question, like am I the same > person I was ten years ago even though only 1% of the molecules are the > same. I don't think the OP asked anything like that. > Some might consider the resulting certificate to be the original certificate > with a later expiry date. Some might consider it to be a brand new > certificate that just happens to share some common values with the previous > certificate. I don't think the OP asked whether it would still be the old certificate or if it would be a new certificate. He just asked if he can change the date, and only the date, on his existing certificate. > What possible difference does it make whether you consider the resulting > certificate a "new certificate" or "the original certificate with a later > expiration date"? I don't think, in this thread, that anyone else considered that difference. > Or are you asking something else entirely? And if so, what? It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" to which it seems that the answer is "Yes", although one might add that the resulting certificate could be viewed by some as a different certificate. In that case, the next question would be "Is it valid?", to which the answer would also presumably be "Yes". Have I understood? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> I have a private CA certificate created using openssl command line. > The issue is that the certificate expires on 19th Oct, 2007. > The question is that "Is it possible to extend the expiry of this > certificate without changing any other fields in the certificate?" > Basically, I want to continue using this CA Cert to sign end-user > certs for a longer time. > Any help will be appreciated. Thanks. This question comes up a lot and I still have no idea what anyone is asking. It seems like it's largely a philosophical question, like am I the same person I was ten years ago even though only 1% of the molecules are the same. Some might consider the resulting certificate to be the original certificate with a later expiry date. Some might consider it to be a brand new certificate that just happens to share some common values with the previous certificate. What possible difference does it make whether you consider the resulting certificate a "new certificate" or "the original certificate with a later expiration date"? Or are you asking something else entirely? And if so, what? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]