The certs are below.
The SKID & AKID look like they are never updated in the extensions, just
copied across verbatum.
In ocspss2 they are still as they were in the original ocspss which was
self-signed.

ocspss2:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 40 (0x28)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit, CN=ca
Validity
Not Before: Oct 25 04:09:19 2007 GMT
Not After : Aug 14 04:09:19 2010 GMT
Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
CN=ocspss
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:df:2b:01:4f:21:f0:ba:3d:e1:e3:e2:02:a2:c0:
9e:82:a4:e3:a7:7a:d4:84:6e:fe:a8:5e:26:a5:ff:
80:80:d2:6e:7e:24:4d:ad:ca:b6:f6:c5:9b:b4:02:
9b:39:ca:9d:b4:48:99:6f:43:d6:f8:58:b8:ff:29:
21:3f:35:40:d3:40:dd:8f:a8:36:f2:3e:5e:ed:72:
5f:01:00:40:b5:9d:5c:3e:92:a3:7d:4b:a8:51:22:
dd:6d:ab:e2:a6:f1:e1:52:30:bb:64:4b:82:33:af:
bc:23:2e:4e:0d:5b:d5:b7:71:2f:64:52:cc:78:d0:
53:9d:ad:2b:ef:7e:16:21:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
Netscape Comment:
OpenSSL Generated OCSP Certificate
X509v3 Subject Key Identifier:
AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18
X509v3 Authority Key Identifier:
keyid:AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18

X509v3 Subject Alternative Name:


Signature Algorithm: sha1WithRSAEncryption
95:fd:10:ef:a1:f7:88:98:fe:f6:9e:70:f7:8b:b8:01:b5 :ab:
13:a8:d2:62:64:14:1a:c4:51:4f:3b:3d:8d:91:f4:bb:4c :5d:
cf:09:c6:6c:7d:db:77:c3:7f:a7:2d:1d:a1:82:0f:ce:5d :42:
7a:81:01:17:e6:80:d3:fb:4f:56:d9:b4:3c:65:c7:d7:d8 :0c:
bc:0c:bb:f5:56:36:45:d0:4f:fb:f3:06:42:e6:fc:77:e4 :63:
0e:3c:20:59:b3:66:7a:d5:61:ce:eb:e1:1d:75:e4:a5:64 :33:
68:56:dd:7f:a4:aa:13:9a:15:38:b7:79:f5:9b:d2:ea:06 :e7:
c4:04:32:9b:6d:d2:ea:68:96:ac:5b:c9:2d:fd:4e:18:02 :a9:
07:8a:b0:e8:56:e3:9b:21:55:13:24:75:89:bb:67:85:63 :5c:
62:19:65:d5:e4:a1:e3:26:ef:7a:db:f2:86:80:55:4d:0e :f8:
df:13:79:9d:99:93:16:0d:51:4c:6a:fe:c4:c6:5e:dd:d9 :29:
54:69:e9:3f:20:a2:8b:fa:0e:ab:fb:11:28:3c:c2:d0:2c :d6:
9e:00:1c:e6:13:e3:8f:c5:ea:a9:58:6a:dc:99:1b:8c:c8 :48:
8c:d5:57:87:93:d7:ca:c0:f6:f9:c6:a2:c3:30:e6:f6:99 :d7:
1e:8d:72:9c

ca cert

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b3:86:5b:e2:40:33:5e:45
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit, CN=ca
Validity
Not Before: Oct 5 23:52:08 2006 GMT
Not After : Oct 4 23:52:08 2009 GMT
Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit, CN=ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:be:6e:ea:2a:e2:d0:3b:9d:19:79:0e:36:96:70:
5e:cd:59:06:39:26:31:8b:67:b4:cb:9b:f9:6f:13:
e4:8d:27:ee:2b:f1:00:17:09:10:d4:94:09:c3:e7:
93:a2:3f:0c:9d:3d:5b:be:fb:1d:37:c0:c2:69:1a:
2d:e2:ce:ee:ca:c7:7f:7b:fb:bf:fc:4b:29:df:d6:
a8:92:58:eb:d4:d2:3a:c3:b1:51:21:b9:d3:65:0f:
66:26:45:ad:f1:2e:cc:3c:90:a9:0c:77:55:7f:43:
63:a5:62:a0:27:83:bb:84:d2:4d:32:42:c3:ca:a5:
ec:14:9c:a7:ea:5c:04:26:b0:64:33:b7:73:c2:00:
ad:ed:67:64:63:e0:cf:5e:12:81:a2:49:33:21:30:
d2:43:35:f0:d6:e8:40:28:b3:14:27:19:6c:2a:1d:
39:3f:1d:d5:d0:9c:87:4c:f4:8d:db:9b:1f:9b:4b:
55:b5:aa:d2:4f:13:9c:8f:ac:99:4a:e3:da:a8:08:
24:95:af:a5:4f:50:e3:f7:59:1d:1a:1a:c0:57:ef:
6e:07:8c:41:cb:30:b9:ce:b5:dd:51:a8:6a:39:0b:
e2:4d:53:5d:d6:54:5b:ee:b7:f1:3a:22:e4:a2:16:
3d:03:14:93:9e:d5:9b:c7:18:15:43:8c:b9:ff:b3:
34:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
89:9E:C2:C4:E6:87:4E:C2C:9EE:A75:BE:64:F6:BF:2C:1E:2C
X509v3 Authority Key Identifier:
keyid:89:9E:C2:C4:E6:87:4E:C2C:9EE:A75:BE:64:F6:BF:2C:1E:2C
DirName:/C=AU/ST=Queensland/L=Gold
Coast/O=IBM/OU=GSKit/CN=ca
serial:B3:86:5B:E2:40:33:5E:45

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
55:88:47:a0:72:88:e0:9e:3f:26:de:b7:02:9f:63:a2:75 :f1:
c1:5d:1b:50:80:fe:06:8d:f8:ed:0b:cd:2d:78:19:d5:c0 :3d:
da:03:91:92:f0:3d:d0:f3:22:2c:49:d2:47:74:b9:11:48 :53:
2d:6c:ca:3c:4d:0a:6f:09:73:52:7f:ea:81:a6:c2:a3:01 :86:
3c:c5:f8:7a:98:d3:c0:ad:32:7d:69:67:39:53:d3:75:fb :45:
2f:56:e9:f9:15:c6:5b:75:ff:32:30:46:a9:86:50:9b:1c :18:
f8:aa:6f:ec:6c:a3:7b:5b:b7:1b:0f:54:83:07:52:d3:fa :08:
29:a6:69:06:27:e3:4d:e9:b4:f5:67:ae:68:ce:f0:de:b4 :b2:
ca:42:ad:1f:64:09:c9:42:54:57:42:85:1c:04:f1:60:41 :04:
cc:bb:4f:a4:1c:41:66:b7:d9:e3:77:9b:6f:f2:58:b5:43 :28:
ff:72:c2:3b:b5:6e:7d:8f:f5:15:18:db:5e:b5:a5:b0:73 :04:
bd:40:41:88:6f:1e:1b:04:e9:77:6c:3d:af:39:88:39:89 :e2:
df:6f:67:b8:b2:30:24:31:01:02:4e:e7:e0:7b:a9:9e:bd :bb:
9c:95:ed:23:09:19:04:31:2d:6c:84:f6:9d:88:ac:83:50 :ad:
98:c1:70:89


Simon McMahon
Software Engineer
Australia Development Laboratory
IBM
+61 7 5552 4002





Kyle Hamilton
Sent by: owner-openssl-users@openssl.org
25/10/2007 06:24 PM
Please respond to
openssl-users@openssl.org


To
Simon McMahon/Australia/Contr/IBM@IBMAU
cc
openssl-users@openssl.org
Subject
Re: refresh validity dates on a certificate






The Authority Key Identifier should be the ID of the CA's key. The
Subject Key Identifier should be the ID of the certified key. If
they are the same, then it is a self-signed certificate. (This
information comes from http://oasis-pki.org/pdfs/AKID_SKID1-af3.pdf
-- I'm not sure how OpenSSL derives the key identifiers, but it
really shouldn't matter since the key identifier is essentially
turned into an arbitrary generator-specified nym by that same PDF.)

You made a typo in your tests.

openssl x509 -in ocspss.pem -days 1024 -out ocspss2.pem -CA ca.pem -
CAserial serial

See the ocspss2.pem there?

a dump of ocspss.pem (worked) gives:

Since ocspss.pem was supposed to be a self-signed cert, and
ocspss2.pem wasn't, can you please post the dump of the ocspss2.pem
and test it?

(Also, if you can post the dump of ca.pem, it would help track down
or eliminate AKID/SKID issues.)

[And, this is also barring any odd circumstance like 'outside CA
validity period' or 'trying to sign for longer than the CA is
valid'. A dump of ca.pem will help determine that, as well.]

Thanks!

-Kyle H

On Oct 24, 2007, at 10:09 PM, Simon McMahon wrote:

> I just noticed in the extensions of the certificates that the
> "Subject Key
> Identifier" and "Authority Key Identifier" match in the one which
> works
> and are different in the one which fails. This may explain the
> verification failure.
>
> Looks like openssl has just copied the extensions without looking
> at them.
> It probably should update the "Authority Key Identifier" if it is
> present
> in the extensions.
>
> Simon McMahon
>
>
>
>
>
> Simon McMahon/Australia/Contr/IBM@IBMAU
> Sent by: owner-openssl-users@openssl.org
> 25/10/2007 02:48 PM
> Please respond to
> openssl-users@openssl.org
>
>
> To
> "Kyle Hamilton"
> cc
> openssl-users@openssl.org
> Subject
> Re: refresh validity dates on a certificate
>
>
>
>
>
>
> Great idea!
> That certainly should work but didn't for me.
> My openssl is "OpenSSL 0.9.8b 04 May 2006"
>
> The 1st command worked fine and gave a self-signed cert that looked
> fine.
> See below for a dump of it.
> openssl x509 -in sslcln.pem -days 1024 -out sslcln2.pem
> -signkey sslcln.pem
> The 2nd command returned the same error (see below) as I was getting
> before!
> openssl x509 -in sslcln2.pem -days 1024 -out
> sslcln3.pem -CA
> ca.pem -CAserial serial
>
> Note: sslcln.pem and ca.pem both contain the cert & private key.
>
> To make sure I wasn't just doing it wrong I tried it on another
> self-signed cert, created normally (for ocsp) with "openssl req -
> new -x509
>
> ..."
> openssl x509 -in ocspss.pem -days 1024 -out
> ocspss2.pem -CA
> ca.pem -CAserial serial
> This worked fine, updating the validity preserving the extensions as I
> needed.
>
> Did I do something wrong in command 1?
>
> error from command 2:
> Loading 'screen' into random state - done
> Getting CA Private Key
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
> error with certificate - error 20 at depth 0
> unable to get local issuer certificate
> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=GSKit/CN=sslcln
> error with certificate - error 21 at depth 0
> unable to verify the first certificate
>
> a dump of sslcln2.pem (not working) gives:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 15 (0xf)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Validity
> Not Before: Oct 25 04:00:23 2007 GMT
> Not After : Aug 14 04:00:23 2010 GMT
> Subject: C=AU, ST=Queensland, O=IBM, L=Gold Coast, OU=GSKit,
> CN=sslcln
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:a9:b1:99:5a:c2:d5:83:a6:6d:ea:d1:1f:f2:8c:
> bf:43:6c:a2:09:07:f8:14:2f:f7:07:e4:cb:57:d9:
> 53:2e:55:68:86:c8:4d:8f:d2:3a:5a:81:ca:65:b0:
> 83:0a:97:6e:5a:15:f5:df:65:8f:e0:27:e3:dc:d1:
> 84:3a:ac:a2:d8:a9:9e:69:e1:5f:1d:88:10:72:85:
> 7e:ea:a4:db:79:43:0b:63:6b:4f:e0:8f:ee:09:9a:
> 66:14:bb:b1:48:2d:17:0f:da:c0:f9:12:8e:a2:98:
> a5:61:86:85:14:10:30:c2:28:00:fd:0c:cb:ca:71:
> 9f:34:e0:8e:f5:25:f0:73:93
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 8B:44:9A:12:AE:E10:7F:6F:0C:60:87:1E:A6:8A8:9C:3D:57:57
> X509v3 Authority Key Identifier:
> keyid:89:9E:C2:C4:E6:87:4E:C2C:9EE:A75:BE:64:F6:BF:2C:1E:2C
>
> X509v3 Subject Alternative Name:
>
>
> Signature Algorithm: sha1WithRSAEncryption
> 3a:15:9e:2d:0f:01:aa:b7:a2:86:b8:09:47:6b:00:7f:16 :3a:
> 32:46:11:be:06:16:f0:b8:cc:67:6e:8e:fe:32:14:5d:87 :1c:
> ea:da:fa:81:e8:e7:e8:9f:c5:e1:06:4b:cc:2e:de:f7:bc :df:
> 9e:60:be:94:23:67:b9:76:c9:47:4d:0c:ab:61:a5:eb:5e :3e:
> d3:50:c5:4b:4c:d3:92:a3:7e:31:03:dd:68:64:6a:e3:53 :df:
> 26:0b:c0:a0:d7:ff:a6:7d:5b:29:6f:50:8a:b7:8e:45:90 :c8:
> 1f:2e:a2:43:14:69:54:32:82:3c:90:b1:70:b2:8e:c1:b7 :5d:
> df:f7
>
> a dump of ocspss.pem (worked) gives:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> ce:f1:9e:49:5a:60:ca:63
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
> CN=ocspss
> Validity
> Not Before: Oct 6 06:53:16 2006 GMT
> Not After : Oct 5 06:53:16 2009 GMT
> Subject: C=AU, ST=Queensland, L=Gold Coast, O=IBM, OU=GSKit,
> CN=ocspss
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:df:2b:01:4f:21:f0:ba:3d:e1:e3:e2:02:a2:c0:
> 9e:82:a4:e3:a7:7a:d4:84:6e:fe:a8:5e:26:a5:ff:
> 80:80:d2:6e:7e:24:4d:ad:ca:b6:f6:c5:9b:b4:02:
> 9b:39:ca:9d:b4:48:99:6f:43:d6:f8:58:b8:ff:29:
> 21:3f:35:40:d3:40:dd:8f:a8:36:f2:3e:5e:ed:72:
> 5f:01:00:40:b5:9d:5c:3e:92:a3:7d:4b:a8:51:22:
> dd:6d:ab:e2:a6:f1:e1:52:30:bb:64:4b:82:33:af:
> bc:23:2e:4e:0d:5b:d5:b7:71:2f:64:52:cc:78:d0:
> 53:9d:ad:2b:ef:7e:16:21:cb
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Extended Key Usage:
> OCSP Signing
> Netscape Comment:
> OpenSSL Generated OCSP Certificate
> X509v3 Subject Key Identifier:
> AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18
> X509v3 Authority Key Identifier:
> keyid:AB:66:CE:08D:F2:3F:9E:45:67:694:05:8C:28:85:0C:F6:08:18
>
> X509v3 Subject Alternative Name:
>
>
> Signature Algorithm: sha1WithRSAEncryption
> 65:6f:a9:c8:b2:e5:83:e6:20:c5:00:55:61:df:ee:ee:45 :1d:
> ff:fb:3e:87:1b:2e:b5:92:d3:ce:a5:8e:06:22:1d:73:eb :68:
> 59:45:a1:51:e4:a6:9d:e9:d4:10:c9:a7:2d:a4:3b:34:49 :0a:
> 3c:fa:9f:a1:16:49:6f:f1:5c:07:6b:05:40:1d:0f:1e:05 :71:
> 43:60:b9:d5:32:f6:d7:a8:6b:9c:5e:8e:1b:e9:ab:d8:51 :96:
> a1:cd:79:c4:6a:4d:5d:e5:d4:9f:10:a8:86:b4:4e:ab:8a :97:
> 70:7e:13:39:c9:0c:2d:38:4b:2e:ae:21:f7:b7:3a:a0:82 :03:
> c3:fd
>
>
> Simon McMahon
>
>
>
>
> "Kyle Hamilton"
> 25/10/2007 01:09 PM
>
> To
> openssl-users@openssl.org, Simon McMahon/Australia/Contr/IBM@IBMAU
> cc
>
> Subject
> Re: refresh validity dates on a certificate
>
>
>
>
>
>
> What I would do is a pair of commands:
>
> $ openssl x509 -in currentcertificate.pem -out selfsigned.pem -days
> 1024 -signkey currentkey.pem
> $ openssl x509 -in selfsigned.pem -days 1024 -CA ca.pem -CAserial
> serial -out refreshedcert.pem -outform PEM
>
> Since you're creating a self-signed cert in the first command, the
> input is appropriate for the -CA function.
>
> Note, under the BUGS section of the 'x509' man page, it says:
> "Extensions in certificates are not transferred to certificate
> requests and vice versa." So you can't just convert to request and
> then sign the request. However, extensions are retained from cert to
> cert if you don't use the -clrext option.
>
> -Kyle H
>
>
> On 10/24/07, Simon McMahon wrote:
>> I found this in the pkcs#12 FAQ:
>>
>>
>> 2. Extend the CA expiry date with e.g.:
>> openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -
>> signkey
>> demoCA/private/cakey.pem
>> ...
>>
>> This is almost correct for me, and it even preserves the
>> extensions, but
>> it always produces a self-signed cert by resetting the issuer.
>>
>> I also tried the following, where my cert is in ee.pem (signed by

> ca.pem):
>>
>> openssl x509 -in ee.pem -days 1024 -out ee_1.pem
>> -CA
>> ca.pem -CAserial serial
>>
>> It fails like this:
>> Loading 'screen' into random state - done
>> Getting CA Private Key
>> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
>> error with certificate - error 20 at depth 0
>> unable to get local issuer certificate
>> /C=AU/ST=Queensland/O=IBM/L=Gold Coast/OU=Test/CN=ee
>> error with certificate - error 21 at depth 0
>> unable to verify the first certificate
>>
>> The doc says "Without the -req option the input is a certificate
>> which
>> must be self signed" and the ee cert obviously isn't self-signed. Is

> there
>> any command options that can get this to work?
>>
>> I can write a program to do this but since it works already for
>> self-signed certs, I would have thought it would already be in
>> openssl.
>> Any reason why it's not in the 'openssl' command line tool?
>> If I patch the openssl tool to add this will it get integrated
>> into the
>> main code base? I.e. would anyone else use this to refresh end-user

> certs?
>>
>> Simon McMahon

>
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org