What I would do is a pair of commands:

$ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days
1024 -signkey currentkey.pem
$ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial
serial -out refreshedcert.pem -outform PEM

Since you're creating a self-signed cert in the first command, the
input is appropriate for the -CA function.

Note, under the BUGS section of the 'x509' man page, it says:
"Extensions in certificates are not transferred to certificate
requests and vice versa." So you can't just convert to request and
then sign the request. However, extensions are retained from cert to
cert if you don't use the -clrext option.

-Kyle H


On 10/24/07, Simon McMahon wrote:
> I found this in the pkcs#12 FAQ:
>
>
> 2. Extend the CA expiry date with e.g.:
> openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey
> demoCA/private/cakey.pem
> ...
>
> This is almost correct for me, and it even preserves the extensions, but
> it always produces a self-signed cert by resetting the issuer.
>
> I also tried the following, where my cert is in ee.pem (signed by ca.pem):
>
> openssl x509 -in ee.pem -days 1024 -out ee_1.pem -CA
> ca.pem -CAserial serial
>
> It fails like this:
> Loading 'screen' into random state - done
> Getting CA Private Key
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
> error with certificate - error 20 at depth 0
> unable to get local issuer certificate
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
> error with certificate - error 21 at depth 0
> unable to verify the first certificate
>
> The doc says "Without the -req option the input is a certificate which
> must be self signed" and the ee cert obviously isn't self-signed. Is there
> any command options that can get this to work?
>
> I can write a program to do this but since it works already for
> self-signed certs, I would have thought it would already be in openssl.
> Any reason why it's not in the 'openssl' command line tool?
> If I patch the openssl tool to add this will it get integrated into the
> main code base? I.e. would anyone else use this to refresh end-user certs?
>
> Simon McMahon

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org