I found this in the pkcs#12 FAQ:


2. Extend the CA expiry date with e.g.:
openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey
demoCA/private/cakey.pem
....

This is almost correct for me, and it even preserves the extensions, but
it always produces a self-signed cert by resetting the issuer.

I also tried the following, where my cert is in ee.pem (signed by ca.pem):

openssl x509 -in ee.pem -days 1024 -out ee_1.pem -CA
ca.pem -CAserial serial

It fails like this:
Loading 'screen' into random state - done
Getting CA Private Key
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 20 at depth 0
unable to get local issuer certificate
/C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
error with certificate - error 21 at depth 0
unable to verify the first certificate

The doc says "Without the -req option the input is a certificate which
must be self signed" and the ee cert obviously isn't self-signed. Is there
any command options that can get this to work?

I can write a program to do this but since it works already for
self-signed certs, I would have thought it would already be in openssl.
Any reason why it's not in the 'openssl' command line tool?
If I patch the openssl tool to add this will it get integrated into the
main code base? I.e. would anyone else use this to refresh end-user certs?

Simon McMahon




"David Schwartz"
Sent by: owner-openssl-users@openssl.org
24/10/2007 05:13 PM
Please respond to
openssl-users@openssl.org


To

cc

Subject
RE: refresh validity dates on a certificate







> I just saw the "RE: Changing the expiry date of a cert" thread
> but I think
> my question is a little different.
>
> My certs are not CA certs they are user certs where the only thing I
> really need to preserve are subject, issuer, key & cert extensions. The
> serial # doesn't matter.
>
> The thing I would like to use is "openssl x509" and specify the old cert
> and get a new cert from it with all the extensions preserved.


This capability is not built into the 'openssl' command line tool, but
it's
pretty close to trivial to write a program to read in a certificate,
change
the from/to validity dates, sign the certificate, and write out the
result.

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org