Renewing a CA root certificate

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Renewing a CA root certificate

Greg Vickers
Hi all,

I am in the process of renewing a root CA certificate (which is expiring
soon.) I should be able to use the original certificate signing request
to issue a new certificate for the CA, correct?

And what is the best way of deploying the new CA certificate?

--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: (07) 3864 9536
Mobile: 0410 434 734
Email: [hidden email]
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Greg Vickers
Argh, hit the send button before I had finished *blush*

Greg Vickers wrote:
> Hi all,
>
> I am in the process of renewing a root CA certificate (which is expiring
> soon.) I should be able to use the original certificate signing request
> to issue a new certificate for the CA, correct?
>
> And what is the best way of deploying the new CA certificate?

... I mean to write here - we can publish the new certificate, but we
will have to get the new certificate to all the desktops that use the
old certificate, correct? Will this be the best way of doing the deployment?

--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: (07) 3864 9536
Mobile: 0410 434 734
Email: [hidden email]
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Arsen Hayrapetyan-2
Hi Greg,

Greg Vickers wrote:

> Argh, hit the send button before I had finished *blush*
>
> Greg Vickers wrote:
>
>> Hi all,
>>
>> I am in the process of renewing a root CA certificate (which is
>> expiring soon.) I should be able to use the original certificate
>> signing request to issue a new certificate for the CA, correct?
>>
Yes. But even if you don't have the original certificate signing request
(CSR), you can generate it from the
existing certificate:

openssl x509 -x509toreq -in  ORIGINAL_CA_CERT -signkey PRIVATE_KEY -out
careq.csr

>> And what is the best way of deploying the new CA certificate?
>
>
> ... I mean to write here - we can publish the new certificate, but we
> will have to get the new certificate to all the desktops that use the
> old certificate, correct? Will this be the best way of doing the
> deployment?
>
You could publish the renewed certificate and notify relying parties
about certificate renewal - probably it requires less labour.

However, if your CA root certificate is expiring soon, isn't it better
idea to do a re-key (of course, if it is allowed by your policy) than to
continue to use the old key-pair? (It is safer to do re-key time to time
than use the same key-pair for  a long period)

Arsen.

--
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1  BF6F 95C4 2E77 BBE3 DFD8


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Greg Vickers
Thanks Arsen!

Arsen Hayrapetyan wrote:

>>>I am in the process of renewing a root CA certificate (which is
>>>expiring soon.) I should be able to use the original certificate
>>>signing request to issue a new certificate for the CA, correct?
>
> Yes. But even if you don't have the original certificate signing request
> (CSR), you can generate it from the
> existing certificate:
>
> openssl x509 -x509toreq -in  ORIGINAL_CA_CERT -signkey PRIVATE_KEY -out
> careq.csr
>
>>>And what is the best way of deploying the new CA certificate?
>>
>>... I mean to write here - we can publish the new certificate, but we
>>will have to get the new certificate to all the desktops that use the
>>old certificate, correct? Will this be the best way of doing the
>>deployment?
>
> You could publish the renewed certificate and notify relying parties
> about certificate renewal - probably it requires less labour.

Thanks for the tip - we have a Microsoft SOE that the certificate is
used in so we should be able to deploy the new certificate directly to
the desktops with SMS.

> However, if your CA root certificate is expiring soon, isn't it better
> idea to do a re-key (of course, if it is allowed by your policy) than to
> continue to use the old key-pair? (It is safer to do re-key time to time
> than use the same key-pair for  a long period)

Thanks again - we will do a re-key. Would I use the CA.pl script and put
in the same information that is in the original CA certificate? Will
that result in a CA certificate that can be used in browsers etc and
will authenticate web server certificates issued by the old certificate?

Thanks,
--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: (07) 3864 9536
Mobile: 0410 434 734
Email: [hidden email]
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Jason Haar
Greg Vickers wrote:
> Thanks again - we will do a re-key. Would I use the CA.pl script and
> put in the same information that is in the original CA certificate?
> Will that result in a CA certificate that can be used in browsers etc
> and will authenticate web server certificates issued by the old
> certificate?
I think the answer is: "it depends"

I have just tested this very situation out myself a couple of weeks ago.
Had an existing CA which is going to expire in 2007, but now have heaps
of client certs out on end-user machines with expiry dates > 2007 (yes,
it can be done - don't ask why we did this - too much detail!). So I'd
*love* to be able to re-create the CA cert with a longer expiry date.

So I did. different expiry date and different serial number from the
original - but everything else identical. However, that still makes it a
"different" cert.

Anyway, I tested a new client cert signed with the new CA against an
existing Cisco VPN3000 concentrator which is configured to only accept
certs signed by the old CA - it worked!!

Then I tried it against an Apache web server configured to only accept
client certs signed by the old CA - It failed. Apache didn't recognize
the signing CA.

So I'm guessing there's a bug in Cisco's VPN solution - as I think
Apache was the one acting correctly :-(

I really hope someone who knows more than Greg and I can give an
authoritative answer to this question. I'd LOVE to know how to recreate
a CA cert (instead of creating a new one and having to touch 1000's of
machines to update them). But I get the feeling this can't be done

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Greg Vickers
In reply to this post by Arsen Hayrapetyan-2
Arsen,

Arsen Hayrapetyan wrote:

<snip>

> However, if your CA root certificate is expiring soon, isn't it better
> idea to do a re-key (of course, if it is allowed by your policy) than to
> continue to use the old key-pair? (It is safer to do re-key time to time
> than use the same key-pair for  a long period)

I forgot to ask, *how* do you re-key? Does re-keying mean using the
original .csr? Can what Jason Haar did be made to work such that the
'new' version of the root CA certificate will authenticate web server
certificates issued with the 'old' root CA certificate?

Thanks,
--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: (07) 3864 9536
Mobile: 0410 434 734
Email: [hidden email]
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Greg Vickers
In reply to this post by Jason Haar
Hi all,

Jason Haar wrote:
> Greg Vickers wrote:
>
>>Thanks again - we will do a re-key. Would I use the CA.pl script and

<snip>

> I really hope someone who knows more than Greg and I can give an
> authoritative answer to this question. I'd LOVE to know how to recreate
> a CA cert (instead of creating a new one and having to touch 1000's of
> machines to update them). But I get the feeling this can't be done

I found this article: http://www.debian-administration.org/articles/284
Search for "renewing certificates" and you will see the following text:


Your certificate chain can break due to certificate expiry in two ways:

     * The certificates you signed with your root certificate have expired.
     * Your root certificate itself has expired.

In the second case, you have some work to do. A new root CA certificate
must be created and distributed, and then your existing certificates
must be recreated or re-signed.


So that would seem to indicate that upon expiry of a root certificate
you have to create a new root certificate and recreate/resign any
certificates in use on web servers or whatever... bleck! I'll keep
looking unless someone confirms this behavior and dashes the hopes of
Jason and myself :P

Thanks,
--
Greg Vickers
Project Manager, IT Security
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: (07) 3864 9536
Mobile: 0410 434 734
Email: [hidden email]
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Arsen Hayrapetyan-2
Hi Greg and Jason,

Greg Vickers wrote:

> Hi all,
>
> Jason Haar wrote:
>
>> Greg Vickers wrote:
>>
>>> Thanks again - we will do a re-key. Would I use the CA.pl script and
>>
>
> <snip>
>
>> I really hope someone who knows more than Greg and I can give an
>> authoritative answer to this question. I'd LOVE to know how to recreate
>> a CA cert (instead of creating a new one and having to touch 1000's of
>> machines to update them). But I get the feeling this can't be done
>
>
> I found this article: http://www.debian-administration.org/articles/284
> Search for "renewing certificates" and you will see the following text:
>
>
> Your certificate chain can break due to certificate expiry in two ways:
>
>     * The certificates you signed with your root certificate have
> expired.
>     * Your root certificate itself has expired.
>
> In the second case, you have some work to do. A new root CA
> certificate must be created and distributed, and then your existing
> certificates must be recreated or re-signed.
>
>
> So that would seem to indicate that upon expiry of a root certificate
> you have to create a new root certificate and recreate/resign any
> certificates in use on web servers or whatever... bleck! I'll keep
> looking unless someone confirms this behavior and dashes the hopes of
> Jason and myself :P
>
> Thanks,
If you have certificates which are to expire later than the CA root
certificate itself, you can not perform re-key of CA root certificate.
The term re-key refers to procedure of creating a new key-pair (see, for
example, rfc3647, sections 4.3.3 and 4.4.7,
you can download the rfc here: http://www.faqs.org/rfcs/rfc3647.html),
and obviously the certificates will not be validated with the new key-pair.

A solution could be one which Jason described. May be the reason by
which the new root certificate is not recognized is that the serial
number was changed?
Anyway, you can perform a renewal of a root certificate (that is,
leaving the key-pair intact, just producing a new certificate) by
extending its lifetime and preserving everything else, including the
serial number (which is usually 00 for root cert.).

The following commands will do the extension (you need some tricks with
index.txt file because of poor functionality of openssl x509 command):
# I assume that you're using the Unix-like operating system here :)

mkdir tests          # Directory, where the cert is renewed
cd tests
echo "00" > serial  # Serial file, indicating that our renewed cert will
have the serial number of "00"
touch index.txt      # Fake textual database where issued cert will be
registered, could be removed later

# Converting existing certificate to a CSR
openssl x509 -x509toreq -in ORIGINAL_CACERT -signkey ORIGINAL_PRIVATE_KEY \
-out certreq.csr

# Renewing the certificate, extending its lifetime
openssl ca -config CONF_FILE.cnf -startdate STARTDATE -enddate ENDDATE
-in certreq.csr \
-out cacert_renewed.pem -keyfile ORIGINAL_PRIVATE_KEY -cert
ORIGINAL_CACERT \
-extensions ca_ext          # maybe you'll need also -policy POLICY_SECTION

# Here  the STARTDATE is that of your existing
# root cert in a form YYMMDDHHMMSSZ
# (you can obtain it with "openssl x509 -in ORIGINAL_CACERT -noout -dates")
# For example "Dec  1 23:29:21 2003 GMT" will become 031201232921Z
# The ENDDATE is the date which you'll set as the expiry date of renewed
certificate


You can use the original conf file for CONF_FILE.cnf, but MAKE SURE
you've changed
the value of "dir" (where everything is kept :)) to point to "tests":
dir = tests

All issued certificates should be validated OK when using the renewed
certificate. (So you'll not be forced
to resign issued certs).

I hope this helps.

You can also find this sites useful: www.eugridpma.org,
http://ca.dutchgrid.nl/

Arsen.

--
PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03)
Fingerprint: 1C3B 2C01 40DF ED87 23B1  BF6F 95C4 2E77 BBE3 DFD8


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Jason Haar
Arsen Hayrapetyan wrote:
> A solution could be one which Jason described. May be the reason by
> which the new root certificate is not recognized is that the serial
> number was changed?
>  

Could very well be the case. Our original CA had a serial number of "0".
This has proven to be a bad move as Cisco IOS refuses to accept a CA
cert with such a value (even though the RFCs state a serial number must
be an integer, and last I looked, zero is an integer...) So I when I
resigned the CA I gave it a serial of "1" so as to "fix" that problem.

As I am keen to gain the ability to sign Cisco certs, I'm going to
simply start a "new" CA. We'll reconfigure all our servers to accept
both the old and new CA, and then simply phase over all new signings to
the new CA.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Renewing a CA root certificate

Dr. Stephen Henson
On Sat, Nov 26, 2005, Jason Haar wrote:

> Arsen Hayrapetyan wrote:
> > A solution could be one which Jason described. May be the reason by
> > which the new root certificate is not recognized is that the serial
> > number was changed?
> >  
>
> Could very well be the case. Our original CA had a serial number of "0".
> This has proven to be a bad move as Cisco IOS refuses to accept a CA
> cert with such a value (even though the RFCs state a serial number must
> be an integer, and last I looked, zero is an integer...) So I when I
> resigned the CA I gave it a serial of "1" so as to "fix" that problem.
>
> As I am keen to gain the ability to sign Cisco certs, I'm going to
> simply start a "new" CA. We'll reconfigure all our servers to accept
> both the old and new CA, and then simply phase over all new signings to
> the new CA.
>

Well the RFCs say a non-negative integer at one point and that non-negative or
zero is non-conforming in another.

I heard from the authors that the intention was to only allow positive
integers so now OpenSSL created serial numbers (using CA.pl for example) will
always be positive.

Changing the root serial number to 1 (using the same DN and key) will cause
problems if a certificate with the same serial number signed by that CA
already exists. This is due to the fact that issuer name and serial number
must be unique and this can cause all manner of problems with some software if
duplicates exist.

Because it was possible to create duplicates by entering the same details
twice the latest versions of OpenSSL don't start from '1' any more but instead
generates a random number.

So using the "offical" methods of certificate creation and signing (CA.pl)
that shouldn't be a problem. However lots of unofficial "cookbooks" still
exist which often manually create serial number files.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Questions about OCSP

Stefan Vatev
In reply to this post by Jason Haar

Hi guys,
I had to look in-depth the ocsp stuff of openssl and some
questions arise. Well, in ocsp.c I don't get why after
trying OCSP_basic_verify(bs, verify_other, store,
verify_flags) and the result is negative openssl ties to
verify the signer's certificate again, but without the
stack of certs (which to be verified) and all flags set to
zero. I really don't understand this piece of code :(

Another question bothering me what is written in the ocsp
documentation. This is done when all other verification
checks failed:
"
Otherwise the root CA of the OCSP responders CA is checked
to see if it is trusted for OCSP signing. If it is the OCSP
verify succeeds.
"

My question is whether this check is openssl-specific or is
RFC-based, because I've been searching for it  in RFC2560
with no success.

Any comments are welcomed :)
Stefan




-----------------------------

Всички говорят безплатно.
Каквото изговориш до 6-ти януари, се презарежда по твоята vivatel сметка на 7-ми януари.
http://www.vivatel.bg/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Questions about OCSP

Dr. Stephen Henson
On Mon, Nov 28, 2005, Stefan Vatev wrote:

>
> Another question bothering me what is written in the ocsp
> documentation. This is done when all other verification
> checks failed:
> "
> Otherwise the root CA of the OCSP responders CA is checked
> to see if it is trusted for OCSP signing. If it is the OCSP
> verify succeeds.
> "
>
> My question is whether this check is openssl-specific or is
> RFC-based, because I've been searching for it  in RFC2560
> with no success.
>

This is covered by 2.2 and the possibility of "a Trusted Responder whose public
key is trusted by the requester".

The RFC leaves the criteria under which the public key will be trusted by the
requester open. It is one way under which a "global responder" can be trusted.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Questions about OCSP

Dr. Stephen Henson
In reply to this post by Stefan Vatev
On Mon, Nov 28, 2005, Stefan Vatev wrote:

>
> Hi guys,
> I had to look in-depth the ocsp stuff of openssl and some
> questions arise. Well, in ocsp.c I don't get why after
> trying OCSP_basic_verify(bs, verify_other, store,
> verify_flags) and the result is negative openssl ties to
> verify the signer's certificate again, but without the
> stack of certs (which to be verified) and all flags set to
> zero. I really don't understand this piece of code :(
>

I have to admit that I wasn't sure why that was there either :-)

Checking through CVS it looks like it is some legacy code from the initial
support for -VAfile which is now handled differently and that isn't needed any
more.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Questions about OCSP

Stefan Vatev
Citation from "Dr. Stephen Henson" <[hidden email]>:

> On Mon, Nov 28, 2005, Stefan Vatev wrote:
>
> >
> > Hi guys,
> > I had to look in-depth the ocsp stuff of openssl and
> some
> > questions arise. Well, in ocsp.c I don't get why after
> > trying OCSP_basic_verify(bs, verify_other, store,
> > verify_flags) and the result is negative openssl ties
> to
> > verify the signer's certificate again, but without the
> > stack of certs (which to be verified) and all flags set
> to
> > zero. I really don't understand this piece of code :(
> >
>
> I have to admit that I wasn't sure why that was there
> either :-)
>
> Checking through CVS it looks like it is some legacy code
> from the initial
> support for -VAfile which is now handled differently and
> that isn't needed any
> more.
>
> Steve.


Another question that arises is that when -VAfile option is
supplied I think it's a good idea to set the OCSP_NOINTERN
flag for resoponse verification. My point is that if the
cert supplied by the -VAfile option is not able to verify
the response, then the ocsp cert from the response is used
for verification and I don't think that's expected in most
cases.
Anyway, I don't think it's a good idea to look at the certs
chain in the response either.

Stefan.


-----------------------------

Всички говорят безплатно.
Каквото изговориш до 6-ти януари, се презарежда по твоята vivatel сметка на 7-ми януари.
http://www.vivatel.bg/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]