Extend SSL Certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Extend SSL Certificate

Michael Post
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

last year i created my keys, certs and so on with the following steps
for an openvpn server:


##### Serverside ########

openssl req -new -x509 -newkey rsa:2048 -keyout ssl_priv.pem -out
ca_cert.pem -days 3650 -config ./openssl.conf

openssl x509 -in ca_cert.pem -out ca_cert.crt

openssl genrsa -out serverkey.pem -aes128 2048 -days 3650 -config
./openssl.conf

openssl req -new -key serverkey.pem -out req.pem -nodes -config
./openssl.conf

openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in req.pem -notext
- -out servercert.pem -config ./openssl.conf


And today my certificate is invalid, cause due an "error" the
servercert.pem is only valid 365 days. It should be 3650 days.



##### Serverside created, but copied to every client ########

With the following commands i created the client certificates and keys

openssl req -new -keyout clients/client-key-XXXXX.pem -out
clients/client-req-XXX.pem -days 365 -config ./openssl.conf

openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in
clients/client-req-XXX.pem -notext -out client-cert-XXX.pem -outdir
clients -config ./openssl.conf
mv client-*.pem clients/


The Client certificates are also invalid due the same lack of my scripts.

The clients are not accessable per remote maintenance cause they are
umts clients with non static ip.

Is there any possibility to extend the certificates, keys and so on
server-side WITHOUT any change at client-side?

Thanks for every hint,

Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTHG8lAAoJEFF6fE6T32A8OfYH/AxMK78AW1+/FxGcsoTtNmtH
vv6bjTGlZ3TqFsnUQO0LWYE5jbtwobNpR8iLy0PhjGFJxC+iRllcrpHihK7klT/v
btlSCNh8meEQoaQZeNuGpBio3y8Pwd+QAY35lBUDkh5DIa6T/pLYpEqIypkLvB2Y
RajQyHzRleOXeokBflEM8AnYbnc+QOuwaoRb6yQ/IeIlXaciZvY6sr+Sxqhfk9J2
Xk/smLbxgJHQTrltM27g9TQv0caEv3lsEvPU3u86Vh5H5Kh08kUIvz6Rq5pN4b9f
L7phx1Ipuo1T/vj2JhTnEJYaA47Pz2wAj4vM2DrBUL6iKgQFucazdLcHvUHQ40I=
=feJO
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extend SSL Certificate

Walter H.
On 09.03.2014 14:39, Michael Post wrote:
> last year i created my keys, certs and so on with the following steps
> for an openvpn server:
>
the only certificate that is still valid is your self signed ca
certificate;
> ##### Serverside ########
>
> openssl req -new -x509 -newkey rsa:2048 -keyout ssl_priv.pem -out
> ca_cert.pem -days 3650 -config ./openssl.conf
>
> openssl x509 -in ca_cert.pem -out ca_cert.crt
>
ca_cert.pem and ca_cert.crt are the same, both are in PEM format;

openssl x509 -inform PEM -in ca_cert.pem -outform DER -out ca_cert.crt
would convert it from PEM to DER format;

> openssl genrsa -out serverkey.pem -aes128 2048 -days 3650 -config
> ./openssl.conf
>
> openssl req -new -key serverkey.pem -out req.pem -nodes -config
> ./openssl.conf
>
> openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in req.pem -notext
> - -out servercert.pem -config ./openssl.conf
>
your openssl.cnf has the setting, for how many days the certificates are
valid; the
-days 3650 from above's key generation step is ignored;


> And today my certificate is invalid, cause due an "error" the
> servercert.pem is only valid 365 days. It should be 3650 days.
>
>
> ##### Serverside created, but copied to every client ########
>
> With the following commands i created the client certificates and keys
>
> openssl req -new -keyout clients/client-key-XXXXX.pem -out
> clients/client-req-XXX.pem -days 365 -config ./openssl.conf
>
why do you add the -days option, when generating the private key or
cert. request and not when signing the request?

> openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in
> clients/client-req-XXX.pem -notext -out client-cert-XXX.pem -outdir
> clients -config ./openssl.conf
> mv client-*.pem clients/
>
>
> The Client certificates are also invalid due the same lack of my scripts.
>
> The clients are not accessable per remote maintenance cause they are
> umts clients with non static ip.
>
> Is there any possibility to extend the certificates, keys and so on
> server-side WITHOUT any change at client-side?
>
not really; every certificate got invalid; so every certificate must be
renwed;
you can use the same private key and certificate request for this;
but without any change at client-side it will not work;

Greetings,
Walter



smime.p7s (7K) Download Attachment