Regarding Certificate renewal

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding Certificate renewal

Kamalraj Madhurakasan
Hello guys,

I would like to know whether my understanding about certificate renewal is correct or not.

To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed certificate will be:

1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj
Reply | Threaded
Open this post in threaded view
|

Re: Regarding Certificate renewal

Bernhard Fröhlich-2
Ho there,

from the technical perspective (which is the thing this list is
concerned with) a "renewed" certificate is a new certificate for the
same keys as the old one. No step of the three you list as necessary is
necessary from the openssl point of view, but may be required by your CA.

The data contained in the "renewed" certificate, beside the public part
of the key, is completely up to the issuing CA and usually laid down in
their policies.

So, you should address your questions to the CA you want to get your
certificates from. If you are implementing your own CA, you have to
decide what you want to do.
Or was your question about best practices when creating a CA policy?

Hope this helps at least a bit,
Ted
;)

Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

> Hello guys,
>
> I would like to know whether my understanding about certificate
> renewal is correct or not.
>
> To renew the certificate:
>
> 1. we need to generate a new CSR from the private key
> 2. revoke the old certificate
> 3. get the new CSR signed by the CA with validity extended
>
> The fields that are common between old and new renewed certificate
> will be:
>
> 1. SKI
> 2. AKI
> 3. Issuer
> 4. Public Key
>
> The fields are not be common are:
>
> 1. subject (I see that while generating new CSR we can change the subject)
> 2. Serial number
> 3. Other fields
>
> Please share your inputs on this.
>
> Thanks
> Kamalraj


--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Regarding Certificate renewal

Kamalraj Madhurakasan
Hello Ted,

In our application we have requirement to introduce new option which allows customers to renew their certificates which was installed in it already.

We would like to find out whether the new certificate is really a renewal certificate of old one so that we can allow them to replace the old one with new one.

So to find out the match we decided to use fields (Issuer Or subject) And Serial number. But when I used openssl to create renew certificate as in the steps I mentioned already I see that the subject can be altered and serial number is different.

From your mail I understand that other than public key, any field can be different or same based on the CA that customer uses. We have many customers across globe and they get their certificates signed and renewed by many CA in market.

So my conclusion, is its up to us to decide now on choosing match fields. Let me know if I am missing something.

Thanks
Kamalraj



On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich <[hidden email]> wrote:
Ho there,

from the technical perspective (which is the thing this list is concerned with) a "renewed" certificate is a new certificate for the same keys as the old one. No step of the three you list as necessary is necessary from the openssl point of view, but may be required by your CA.

The data contained in the "renewed" certificate, beside the public part of the key, is completely up to the issuing CA and usually laid down in their policies.

So, you should address your questions to the CA you want to get your certificates from. If you are implementing your own CA, you have to decide what you want to do.
Or was your question about best practices when creating a CA policy?

Hope this helps at least a bit,
Ted
;)

Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

Hello guys,

I would like to know whether my understanding about certificate renewal is correct or not.

To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed certificate will be:

1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj


--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Regarding Certificate renewal

Bernhard Fröhlich-2
Am 21.01.2014 11:21, schrieb Kamalraj Madhurakasan:
Hello Ted,

In our application we have requirement to introduce new option which allows customers to renew their certificates which was installed in it already.

We would like to find out whether the new certificate is really a renewal certificate of old one so that we can allow them to replace the old one with new one.

So to find out the match we decided to use fields (Issuer Or subject) And Serial number. But when I used openssl to create renew certificate as in the steps I mentioned already I see that the subject can be altered and serial number is different.

From your mail I understand that other than public key, any field can be different or same based on the CA that customer uses. We have many customers across globe and they get their certificates signed and renewed by many CA in market.

So my conclusion, is its up to us to decide now on choosing match fields. Let me know if I am missing something.

Now, I don't know the details of your software, but I'd advise to use the subject fields (maybe only some of them) to identify the customer. Though there's no guarantee, my guess is that in most renewed certificates the subject won't change... Also you'll catch those customers who'll want to use new keys. Same issuer makes some sense, because usually another CA will have more or less subtle differences in the subject fields.
Of course you'll never get 100% of all "renewed" certificates, but a good percentage should be possible.

I'd not restrict identification to the same public key, because that's only a technical detail, but has no "intrinsic" connection to the person who uses it. The serial number is definitively useless for your purpose.

All this has not much to do with openssl, so maybe we should move to private discussion if you still have questions. And maybe I should think about consulting charges... :-)

Hope this helps,
Ted

Thanks
Kamalraj



On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich <[hidden email]> wrote:
Ho there,

from the technical perspective (which is the thing this list is concerned with) a "renewed" certificate is a new certificate for the same keys as the old one. No step of the three you list as necessary is necessary from the openssl point of view, but may be required by your CA.

The data contained in the "renewed" certificate, beside the public part of the key, is completely up to the issuing CA and usually laid down in their policies.

So, you should address your questions to the CA you want to get your certificates from. If you are implementing your own CA, you have to decide what you want to do.
Or was your question about best practices when creating a CA policy?

Hope this helps at least a bit,
Ted
;)

Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:

Hello guys,

I would like to know whether my understanding about certificate renewal is correct or not.

To renew the certificate:

1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended

The fields that are common between old and new renewed certificate will be:

1. SKI
2. AKI
3. Issuer
4. Public Key

The fields are not be common are:

1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields

Please share your inputs on this.

Thanks
Kamalraj


--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26