Hi Andreas:

Andreas Grimmel wrote:
> Hello list,

> I got one big problem for now: My self-signed CA cert will expire in
> about one month. I installed it 4 years ago and never minded about, but
> now I have to renew it.

> The Creation of a whole new CA and client certificates isn't possible
> for me because of the large number of clients using my certs (VPN
> Roadwarriors, Webservers, Mailservers, and so on).
> Since I didn't find very much useful information on the net concerning
> the renewal of certificates (might be I did the wrong searches?), I want
> to ask you some points:
> - First of all, is there any HowTo that deals not only with creaton, but
> also with the renewal of self-signed CA certs in detail?

That depends on what you need to do by policy for renewal. There is no
such thing as "technical renewal" - there is only policy based. Since
this sounds like an ad-hoc CA without a formal Certificate Policy, you
have some choices:

1: Assuming that you've got a sane key length (RSA 1024 or greater),
just create a new, self signed certificate with a new validity period
and the exact same name as your old one. That way, you'll be able to
just keep issuing CRL's with the same keys, and nothing will break.
You'll have to distribute out the new certificate to your relying
parties, but you'll have to do that no matter what you do.

2: If you're also worried about the private key possibly being
compromised due to length of time in service, here's what you do:

a: Create an entirely new CA IMMEDIATELY, and only issue new end entity
certificates from that CA.

b: Keep your old CA around until it expires, and keep issuing Revocation
information on those certificates.

c: Distribute out the new CA Certificate from (a) to your relying parties.

If the lifetime of the CA is now less than the remaining validity of the
end entity certificates, I would strongly suggest, if possible, that you
do option 1. Otherwise, you're sort of stuck.

All of the above is possible using your fairly normal OpenSSL CA commands.

> More detailed, and for addressing my actual problem right now, I'd need
> to know
> - Is it possible to renew a CA cert that way, that those user certs
> which I signed with the old CA cert shortly (means less than one year)
> ago, still remain valid?

This depends on:

1: If you do (1) above, if you give the relying party the new signing CA

2: If you do (2) above, if the client actually checks for CA certificate
validity (you'd be amazed at the number that don't

> - if yes, how would I manage this using the good old openssl commands ?

I'm not sure I understand - as I said above, there is no such thing as
technical renewal. The only thing that a CA can do is Sign and Revoke.
So everything else is just a function of that. And since your running a
CA and issuing and revoking certificates, I can probably safely assume
that you know how the commands sign and revoke certs

> - I assume I have to replace the old with the new CA cert on every
> client machine where it is installed, as long as I don't set up a web
> based (e.g. url-fetching) mechanism - correct?

Even if you set up a "web based" mechanism, you'll still have to go
around to every client and install that certificate into their trusted
root or trust anchor store. If you don't have to do any specific action
to do this on any of your platforms, I would look at them somewhat
suspiciously, because that means that any certificate presented with an
AIA field that is followed will be trusted.

> Your help is GREATLY appreciated - and thanks a lot in advance.

Hope that helps.

Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org