OpenSSL OpenSSL - User

Refreshing a self signed root certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
JF-27
Reply | Threaded
Open this post in threaded view
|

Refreshing a self signed root certificate

JF-27

I have an openssl CA.

I have previously created a self signed Root certificate.

However this certificate has now expired.

 

How can I “refresh” the certificate ( i.e. create a new one with a later expiry date ), but still use the old private key so that all the other certificates issued with it can be re-issued in turn ?

 

I have tried the following:

 

 

openssl req -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM

 

But after prompting for my password, it just hangs.

 

 

The openssl installation I am using is from 2004.

 
JF-27
Reply | Threaded
Open this post in threaded view
|

RE: Refreshing a self signed root certificate

JF-27

 

openssl req -new -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM

 

seems to work…

 
JF-27
Reply | Threaded
Open this post in threaded view
|

RE: Refreshing a self signed root certificate

JF-27
In reply to this post by JF-27

A word of warning, this was done to satisfy some test data.

 

In fact you shouldn’t be doing this at all…you should create a new private key..

 

The only reason to preserve the old private key is if there is something out there signed with it and if this is the root CA and its public cert has expired you really shouldn’t allow anything out there to remain valid anyway. By issuing a new cert with the old key you are actually allowing old certificates possibly to validate…

 

From: John Francis [mailto:[hidden email]]
Sent: 20 April 2006 15:30
To: '[hidden email]'
Subject: RE: Refreshing a self signed root certificate

 

 

openssl req -new -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM

 

seems to work…

 
JoelKatz
Reply | Threaded
Open this post in threaded view
|

RE: Refreshing a self signed root certificate

JoelKatz

>The only reason to preserve the old private key is
>if there is something out there signed with it and
>if this is the root CA and its public cert has expired
>you really shouldn't allow anything out there to remain
>valid anyway. By issuing a new cert with the old key you
>are actually allowing old certificates possibly to validate.

Maybe I'm being dense, but I can't see the harm. If those old certificates
are still inside their validity period, what harm is there in having them
validate? They're *valid*, after all.

The only arguments I can see are all related to more time to compromise the
same private key, for example:

1) The original private key might have gotten out somehow or misplaced
somewhere. Revalidating the same key gives more time for the mislayed key to
get in evil hands.

2) The original private key might have been stored somewhere with poor
encryption, say with a simple English word or small number of digits
encrypting it. Having the same key be valid for longer allows more time for
an attack on the key's encoding.

3) There might be a slow leak somewhere gradually giving information about
the key, say by some kind of timing attack.

4) The PK algorithm itself can be broken given enough time to derive the
private key. Reusing a key gives more time for that.

There may be some reason I'm not thinking of, but that valid certificates
will validate doesn't seem to be a problem.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Victor Duchovni
Reply | Threaded
Open this post in threaded view
|

Re: Refreshing a self signed root certificate

Victor Duchovni
In reply to this post by JF-27
On Thu, Apr 20, 2006 at 04:42:53PM +0100, John Francis wrote:

> A word of warning, this was done to satisfy some test data.
>
>  
>
> In fact you shouldn't be doing this at all.you should create a new private
> key..
>
>  
>
> The only reason to preserve the old private key is if there is something out
> there signed with it and if this is the root CA and its public cert has
> expired you really shouldn't allow anything out there to remain valid
> anyway. By issuing a new cert with the old key you are actually allowing old
> certificates possibly to validate.

Those would be old certificates, whose expiration time post-dates the
expiration time of the CA. Usually that is not a problem and sometimes
(a CA signing a 1 year certificate in the last year of the CA's validity)
it allows one to make up for harmless procedural errors.

Generally a CA's lifetime is a reasonable multiple of the maximum lifetime
of the certificates it signs, and a new CA cert is minted distributed
to the world at large, and then used well before before the old CA
becomes invalid.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Free forum by Nabble Edit this page