Okay, thanks for all the information, here's what I did and what will go into testing:
-Recreated a CSR from the root CA cert using openssl x509 -x509toreq -in cacert.crt -signkey cakey.key -sha1 -out newcert.csr Set the system date back to the startday of the old root cert Recreated the CA cert openssl req -in newcert.csr -key cakey.key -x509 -days blablabla -out ca_new.crt So far this looks promising, the serial number is fresh, the startdate to enddate range includes all my existing certs and I hope that this is the end. Thanks, Stephan Gesendet: Dienstag, 15. April 2014 um 22:28 Uhr Von: "Kyle Hamilton" <aerow...@gmail.com> An: openssl-users <openssl-users@openssl.org> Betreff: Re: Re: Converting a root certificate from md5 to sha1 Stephan, It depends on how pedantic your clients are. If you aren't rekeying, it shouldn't matter, though. X.509 has a "Subject" and an "Issuer". The Issuer of a certificate is the Subject of the certificate which private key was used to sign it. If the Issuer doesn't change, then the matching algorithm doesn't change at all. However, the answer is always going to be "test the clients in your environment". There are a *lot* of options, a *lot* of things that can potentially get screwed up, and there's no way to make a blanket statement without caveat. The problem with that command, though, is that it doesn't change the serial number, or the signing algorithm claimed in the main certificate. Anything which pedantically enforces the rule that "the signing algorithm claimed in the TbsCertificate MUST match the signing algorithm in the Certificate" is going to fail. (I think I saw a root certificate from Boeing which failed that particular test.) As always, your mileage may vary. The proper way to do this is to create a new certificate request with the appropriate information, and then sign it, but OpenSSL makes that difficult. -Kyle H On Tue, Apr 15, 2014 at 6:54 AM, <steff...@gmx.de> wrote: >>You need to generate a new certificate with the same data (except a >>different serial number and a reference to sha1WithRSAEncryption), >>containing the same public key, and signed with the same private key. >> >>I'd recommend sha256WithRSAEncryption, but that's possibly not an >>option for you. >> >>Make sure that you do not reuse the same serial number, it *will* >>cause problems (particularly for such software as Firefox, but also >>for anything that's written in an X.509-pedantic mode). >> >>-Kyle H > > Okay, thanks. Would this mean that I need to replace the old root cert with > the new one on all clients ? I have certificates that are already in use and > the new root cert would have a start date of today, wouldn't it confuse the > client when the start date of the cert is older than that of the root cert ? > > Also I managed to convert the existing root cert from md5 to sha1 with > > openssl x509 -sha1 -inform pem -outform pem -in cacert.pem -out > cacertsha1.pem -signkey cakey.pem > > this recreates the cert with sha1 but it also resets the startdate to <now>. > I tried using -startdate and -enddate but openssl moans that it doesn't > recognize the date as option. I tried 'Jan 01 10:37:30 2014 GMT' as well as > the YYMMDDHHMMSSZ, both don't work. > > Thanks, > Stephan > >>On Tue, Apr 15, 2014 at 1:41 AM, <steff...@gmx.de> wrote: >>> Hello world, >>> >>> I am running my own little CA and the root certificate was created using >>> md5: >>> >>> Signature Algorithm: md5WithRSAEncryption >>> >>> I need to change this do sha1 because I have clients that do not accept md5 >>> anymore. Is there any way to convert the existing cert from md5 to sha1 ? I >>> tried converting it to another format and then reimporting it using -sha1 >>> but this doesn't work. >>> >>> Thanks, >>> Stephan > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org[http://www.openssl.org] User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
