This is a multi-part message in MIME format.

------=_NextPart_000_003B_01C7C8CB.87182010
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit



No wonder I couldn't find the MakeCertificate function, it's actually
resides in an external library. I 'll try to do anything I could to make
sure it works as needed..

However, thank you very much for your help David Schwartz.. if you were in
java.sun.com forum I'd surely have given you at least 7 duke dollars.

Thanks again


It's a kludge, but you could modify the certificate and then fix the
signature, if you have direct access to the key that signs them. The key
appears to be passed to 'RenewCertificate' and 'GenCRL'.

After you adjust the time, just add this (untested):

X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity);
X509_gmtime_roundup(X509_get_notAfter(x));
X509_sign(x, key ,EVP_sha1());

I think the 'key' should be the same thing you pass as 'pkey' to
RenewCertificate. (I'm assuming 'RenewCertificate' or the CRL code use the
same private key as you use to sign certificates. Double-check that too!)

I've never tried signing a certificate that has already been signed. I
hope it will digest and sign the correct part of the certificate and replace
the old signature with a new one. But I've never tried it and can't easily
test it right now.

DS

------=_NextPart_000_003B_01C7C8CB.87182010
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">



 

style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid">
No wonder I couldn't find the MakeCertificate function, it's =
actually=20
resides in an external library. I 'll try to do anything I could to =
make sure=20
it works as needed..

However, thank you very much for your help =
David=20
Schwartz.. if you were in href=3D"http://java.sun.com">java.sun.com forum=20
I'd surely have given you at least 7 duke dollars.

Thanks=20
again

color=3D#0000ff=20
size=3D2> 

color=3D#0000ff size=3D2>It's=20
a kludge, but you could modify the certificate and then fix the=20
signature, if you have direct access to the key that signs them. The =
key=20
appears to be passed to 'RenewCertificate' and =
'GenCRL'.

color=3D#0000ff=20
size=3D2>
 

color=3D#0000ff=20
size=3D2>After you adjust the time, just add this=20
(untested):

color=3D#0000ff=20
size=3D2>
 

=
class=3D932553106-18072007> X509_gmtime_adj(X509_get_notBefore(x),0)=
;=20
//added on 16/7/2007 
=20
=
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity);&nbsp=
;  =20
X509_gmtime_roundup(X509_get_notAfter(x));

color=3D#0000ff=20
size=3D2>X509_sign(x, key ,EVP_sha1());

color=3D#0000ff=20
size=3D2>
 

color=3D#0000ff size=3D2>I=20
think the 'key' should be the same thing you pass as 'pkey' to=20
RenewCertificate. (I'm assuming 'RenewCertificate' or the CRL code use =
the=20
same private key as you use to sign certificates. Double-check that=20
too!)

color=3D#0000ff=20
size=3D2>
 

color=3D#0000ff size=3D2>I've=20
never tried signing a certificate that has already been signed. I hope =
it will=20
digest and sign the correct part of the certificate and replace the =
old=20
signature with a new one. But I've never tried it and can't easily =
test it=20
right now.

color=3D#0000ff=20
size=3D2>
 

color=3D#0000ff=20
size=3D2>DS
 

color=3D#0000ff=20
size=3D2>