Re: extend validity of existing certificates
Thnx a lot for your detailed answer. I already started following your recommandations and created a new CA.crt based on the given "old" ca.key and also created a new CSR (also based on its "old" key) and signed it with the "new" CA to get a new CRT. The new CRT is perfectly accepted by all clients (webbrowsers) even if they have the old CA.CRT installed. So I've time to distribute the "new" CA.CRT until the "old" CA.CRT expires. I tested this scenario by chaning clock of some clients. IE5.5 will then claim, that the certificate itself has expired .. thnx again, peter On Mon, Feb 17, 2003 at 09:10:39AM -0500, Markus Lorch wrote: > > > > On my little system I've three types of self created certificates that > > will all expire this year (I didnt pay much attention to expiration > > when first creating them). > > > > I'm now looking for a way how to extend this validity without > > recreating the > > certificates and therefore breaking existing trust-relation. > > There is no way to extend certificate validity (other than chaning your > computer clock - not recommended) but you can issue a new certificate > with > the same keypair used originaly (standard procedure for renewal) > > but because you maintain the keys you are not breaking any trust > relations > > > > > i) my CA. I have the key-file and the crt-file. > > If I need to recreate this I need to recreate and resign all > > certificates of type ii) also and I'll need to redistribute the new CA > > to all clients that have this cert installed. > > only the cert file needs recreation and yes, all the clients will have > to > have the new cert (watch out to use the same subject as well, i.e. > create a > new, identical certificate that only differs in the validity and serial > number) > > > > > ii) the certificates signed by the above CA. This are mostly > > certificates > > for virtual hosts with my apache. I've the key-file and the > > crt-file and even the csr-file. > > > > none of these need to be recreated because of the new CA certificate, > however > if these certs expire themselves then you also need to renew them. Same > as before, > only the certs need renewal - key pairs can be maintained > > > iii) selfsigned certificates I use for securing mailtransfer. > > I have the pem-file in this case. > > same as above, create a new cert but maintain the key. But actually you > can > simply reuse you expired cert as they are self-signed, you (and nobody > else) > trusts your certs. All the trust is directly in your public-private key > pair. > > > > I hope that I can extend the validity with openssl without > > recreating. > > > > nope, that's what makes certificates safe. > > Markus > > > > > > > thnx, > > peter > > > > -- > > mag. peter pilsl > > IT-Consulting > > tel: +43-699-1-3574035 > > fax: +43-699-4-3574035 > > [EMAIL PROTECTED] > > http://www.goldfisch.at > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] http://www.goldfisch.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: extend validity of existing certificates
> > > It is not true, because it is possible to extend the validity of a > certificate, even with openssl. I'd be really curious how you accomplish this, other than the solution below ... which creates a new cert request which becomes a new cert after the cert request has been signed I.e. a PKC is a signed construct, if you change anything within the construct (i.e. the validity) you have to create a new signature and thus have a new certificate that is != to the old one. The only thing you can (and want to) keep is the key pair. > > You have to create a new certification request, with an > extended period of > time. > > Rossi > > > - Original Message - > From: "Markus Lorch" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 17, 2003 3:10 PM > Subject: RE: extend validity of existing certificates > > > > > > > > On my little system I've three types of self created > certificates that > > > will all expire this year (I didnt pay much attention to > expiration > > > when first creating them). > > > > > > I'm now looking for a way how to extend this validity without > > > recreating the > > > certificates and therefore breaking existing trust-relation. > > > > There is no way to extend certificate validity (other than > chaning your > > computer clock - not recommended) but you can issue a new > certificate > > with > > the same keypair used originaly (standard procedure for renewal) > > > > but because you maintain the keys you are not breaking any trust > > relations > > > > > > > > i) my CA. I have the key-file and the crt-file. > > > If I need to recreate this I need to recreate and resign all > > > certificates of type ii) also and I'll need to > redistribute the new CA > > > to all clients that have this cert installed. > > > > only the cert file needs recreation and yes, all the > clients will have > > to > > have the new cert (watch out to use the same subject as well, i.e. > > create a > > new, identical certificate that only differs in the > validity and serial > > number) > > > > > > > > ii) the certificates signed by the above CA. This are mostly > > > certificates > > > for virtual hosts with my apache. I've the key-file and the > > > crt-file and even the csr-file. > > > > > > > none of these need to be recreated because of the new CA > certificate, > > however > > if these certs expire themselves then you also need to > renew them. Same > > as before, > > only the certs need renewal - key pairs can be maintained > > > > > iii) selfsigned certificates I use for securing mailtransfer. > > > I have the pem-file in this case. > > > > same as above, create a new cert but maintain the key. But > actually you > > can > > simply reuse you expired cert as they are self-signed, you > (and nobody > > else) > > trusts your certs. All the trust is directly in your > public-private key > > pair. > > > > > > I hope that I can extend the validity with openssl without > > > recreating. > > > > > > > nope, that's what makes certificates safe. > > > > Markus > > > > > > > > > > > > thnx, > > > peter > > > > > > -- > > > mag. peter pilsl > > > IT-Consulting > > > tel: +43-699-1-3574035 > > > fax: +43-699-4-3574035 > > > [EMAIL PROTECTED] > > > http://www.goldfisch.at > > > > __ > > > OpenSSL Project > http://www.openssl.org > > > User Support Mailing List > [EMAIL PROTECTED] > > > Automated List Manager > [EMAIL PROTECTED] > > > > > > > > __ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extend validity of existing certificates
It is not true, because it is possible to extend the validity of a certificate, even with openssl. You have to create a new certification request, with an extended period of time. Rossi - Original Message - From: "Markus Lorch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 3:10 PM Subject: RE: extend validity of existing certificates > > > > On my little system I've three types of self created certificates that > > will all expire this year (I didnt pay much attention to expiration > > when first creating them). > > > > I'm now looking for a way how to extend this validity without > > recreating the > > certificates and therefore breaking existing trust-relation. > > There is no way to extend certificate validity (other than chaning your > computer clock - not recommended) but you can issue a new certificate > with > the same keypair used originaly (standard procedure for renewal) > > but because you maintain the keys you are not breaking any trust > relations > > > > > i) my CA. I have the key-file and the crt-file. > > If I need to recreate this I need to recreate and resign all > > certificates of type ii) also and I'll need to redistribute the new CA > > to all clients that have this cert installed. > > only the cert file needs recreation and yes, all the clients will have > to > have the new cert (watch out to use the same subject as well, i.e. > create a > new, identical certificate that only differs in the validity and serial > number) > > > > > ii) the certificates signed by the above CA. This are mostly > > certificates > > for virtual hosts with my apache. I've the key-file and the > > crt-file and even the csr-file. > > > > none of these need to be recreated because of the new CA certificate, > however > if these certs expire themselves then you also need to renew them. Same > as before, > only the certs need renewal - key pairs can be maintained > > > iii) selfsigned certificates I use for securing mailtransfer. > > I have the pem-file in this case. > > same as above, create a new cert but maintain the key. But actually you > can > simply reuse you expired cert as they are self-signed, you (and nobody > else) > trusts your certs. All the trust is directly in your public-private key > pair. > > > > I hope that I can extend the validity with openssl without > > recreating. > > > > nope, that's what makes certificates safe. > > Markus > > > > > > > thnx, > > peter > > > > -- > > mag. peter pilsl > > IT-Consulting > > tel: +43-699-1-3574035 > > fax: +43-699-4-3574035 > > [EMAIL PROTECTED] > > http://www.goldfisch.at > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: extend validity of existing certificates
> > On my little system I've three types of self created certificates that > will all expire this year (I didnt pay much attention to expiration > when first creating them). > > I'm now looking for a way how to extend this validity without > recreating the > certificates and therefore breaking existing trust-relation. There is no way to extend certificate validity (other than chaning your computer clock - not recommended) but you can issue a new certificate with the same keypair used originaly (standard procedure for renewal) but because you maintain the keys you are not breaking any trust relations > > i) my CA. I have the key-file and the crt-file. > If I need to recreate this I need to recreate and resign all > certificates of type ii) also and I'll need to redistribute the new CA > to all clients that have this cert installed. only the cert file needs recreation and yes, all the clients will have to have the new cert (watch out to use the same subject as well, i.e. create a new, identical certificate that only differs in the validity and serial number) > > ii) the certificates signed by the above CA. This are mostly > certificates > for virtual hosts with my apache. I've the key-file and the > crt-file and even the csr-file. > none of these need to be recreated because of the new CA certificate, however if these certs expire themselves then you also need to renew them. Same as before, only the certs need renewal - key pairs can be maintained > iii) selfsigned certificates I use for securing mailtransfer. > I have the pem-file in this case. same as above, create a new cert but maintain the key. But actually you can simply reuse you expired cert as they are self-signed, you (and nobody else) trusts your certs. All the trust is directly in your public-private key pair. > > I hope that I can extend the validity with openssl without > recreating. > nope, that's what makes certificates safe. Markus > > thnx, > peter > > -- > mag. peter pilsl > IT-Consulting > tel: +43-699-1-3574035 > fax: +43-699-4-3574035 > [EMAIL PROTECTED] > http://www.goldfisch.at > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
