Renewing expired certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Renewing expired certificates

michael Dorrian
Is this correct or is there a simpler way. I have to revoke all my client,server and root files and then basically create everything over again?. I am sure i can just use the same commands i used to make the root cert and then sign the client and server files and by doing this just overwrite all the existing files that are there. Is there a simpler way of just renewing the files that exist without having to create the root CA cert again and signing everything. The security does not need to be very high in my system but i would like to have a client and server pair and have two way authentication but keeping the same CA forever is fine. The only time i would like to use the revoke command is when it is really needed. Do i need to use the revoke command and why?. Also what is the easiest way for me to renew my expired certificates?. Any answers to both these questions would be greatly appreciated.


Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Reply | Threaded
Open this post in threaded view
|

Re: Renewing expired certificates

Bernhard Fröhlich-2
michael Dorrian wrote:
> Is this correct or is there a simpler way. I have to revoke all my
> client,server and root files and then basically create everything over
> again?.
It depends on which certs are expired. If it's the root certificate
which has expired you're basically correct. But there's no need to
revoke all client certs, they will be valid at least till the root cert
is expired not longer than their own expiry (handling of expired root
certificates depends somewhat on the application)

> I am sure i can just use the same commands i used to make the root
> cert and then sign the client and server files and by doing this just
> overwrite all the existing files that are there. Is there a simpler
> way of just renewing the files that exist without having to create the
> root CA cert again and signing everything. The security does not need
> to be very high in my system but i would like to have a client and
> server pair and have two way authentication but keeping the same CA
> forever is fine. The only time i would like to use the revoke command
> is when it is really needed.
> Do i need to use the revoke command and why?.
No. Revoking of expired certificates is only needed if you keep using
your index file and the "unique_subject" entry in openssl.cnf is not set
to "no".
One thing you'll have to think of is, that if you overwrite your
existing files you'll have no way to revoke one of the old certs in case
it is compromised. They may still be valid some time.
> Also what is the easiest way for me to renew my expired certificates?.
If you still have a backup of the requests it should be possible to
generate certificates for all those requests using batch mode and
sending out the new certs. But it may be difficult to convince the
client software to use the new cert with the old keys, depending on the
software (I have not managed it e.g. with Mozilla browsers)... IMHO it
would be better just to notify your clients that they have to send in a
new cert request.
> Any answers to both these questions would be greatly appreciated.
>
Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Renewing expired certificates

michael Dorrian
Thanks alot for the response. It helped alot.
Bernhard Froehlich <[hidden email]> wrote:
michael Dorrian wrote:
> Is this correct or is there a simpler way. I have to revoke all my
> client,server and root files and then basically create everything over
> again?.
It depends on which certs are expired. If it's the root certificate
which has expired you're basically correct. But there's no need to
revoke all client certs, they will be valid at least till the root cert
is expired not longer than their own expiry (handling of expired root
certificates depends somewhat on the application)

> I am sure i can just use the same commands i used to make the root
> cert and then sign the client and server files and by doing this just
> overwrite all the existing files that are there. Is there a simpler
> way of just renewing the files that exist without having to create the
> root CA cert again and signing everything. The security does not need
> to be very high in my system but i would like to have a client and
> server pair and have two way authentication but keeping the same CA
> forever is fine. The only time i would like to use the revoke command
> is when it is really needed.
> Do i need to use the revoke command and why?.
No. Revoking of expired certificates is only needed if you keep using
your index file and the "unique_subject" entry in openssl.cnf is not set
to "no".
One thing you'll have to think of is, that if you overwrite your
existing files you'll have no way to revoke one of the old certs in case
it is compromised. They may still be valid some time.
> Also what is the easiest way for me to renew my expired certificates?.
If you still have a backup of the requests it should be possible to
generate certificates for all those requests using batch mode and
sending out the new certs. But it may be difficult to convince the
client software to use the new cert with the old keys, depending on the
software (I have not managed it e.g. with Mozilla browsers)... IMHO it
would be better just to notify your clients that they have to send in a
new cert request.
> Any answers to both these questions would be greatly appreciated.
>
Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26



New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.