I have an openssl CA. I have previously created a self signed Root
certificate. However this certificate has now expired. How can I “refresh” the certificate (
i.e. create a new one with a later expiry date ), but still use the old private
key so that all the other certificates issued with it can be re-issued in turn
? I have tried the following: openssl req -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem
-keyform PEM -out cacert2.pem -outform PEM But after prompting for my password, it just hangs. The openssl installation I am using is from 2004. |
openssl req -new -x509 -key
F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM seems to work… |
In reply to this post by JF-27
A word of warning, this was done to satisfy
some test data. In fact you shouldn’t be doing this
at all…you should create a new private key.. The only reason to preserve the old
private key is if there is something out there signed with it and if this is
the root CA and its public cert has expired you really shouldn’t allow
anything out there to remain valid anyway. By issuing a new cert with the old
key you are actually allowing old certificates possibly to validate… From: John Francis
[mailto:[hidden email]] openssl req -new -x509 -key
F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM seems to work… |
>The only reason to preserve the old private key is >if there is something out there signed with it and >if this is the root CA and its public cert has expired >you really shouldn't allow anything out there to remain >valid anyway. By issuing a new cert with the old key you >are actually allowing old certificates possibly to validate. Maybe I'm being dense, but I can't see the harm. If those old certificates are still inside their validity period, what harm is there in having them validate? They're *valid*, after all. The only arguments I can see are all related to more time to compromise the same private key, for example: 1) The original private key might have gotten out somehow or misplaced somewhere. Revalidating the same key gives more time for the mislayed key to get in evil hands. 2) The original private key might have been stored somewhere with poor encryption, say with a simple English word or small number of digits encrypting it. Having the same key be valid for longer allows more time for an attack on the key's encoding. 3) There might be a slow leak somewhere gradually giving information about the key, say by some kind of timing attack. 4) The PK algorithm itself can be broken given enough time to derive the private key. Reusing a key gives more time for that. There may be some reason I'm not thinking of, but that valid certificates will validate doesn't seem to be a problem. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by JF-27
On Thu, Apr 20, 2006 at 04:42:53PM +0100, John Francis wrote:
> A word of warning, this was done to satisfy some test data. > > > > In fact you shouldn't be doing this at all.you should create a new private > key.. > > > > The only reason to preserve the old private key is if there is something out > there signed with it and if this is the root CA and its public cert has > expired you really shouldn't allow anything out there to remain valid > anyway. By issuing a new cert with the old key you are actually allowing old > certificates possibly to validate. Those would be old certificates, whose expiration time post-dates the expiration time of the CA. Usually that is not a problem and sometimes (a CA signing a 1 year certificate in the last year of the CA's validity) it allows one to make up for harmless procedural errors. Generally a CA's lifetime is a reasonable multiple of the maximum lifetime of the certificates it signs, and a new CA cert is minted distributed to the world at large, and then used well before before the old CA becomes invalid. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |