--Apple-Mail-1-440225847
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit

On Mar 24, 2008, at 9:28 AM, Andreas Grimmel wrote:

> I found this command somewhere in a forum:
>
> openssl x509 -in cacert-old.pem -days 1460 -out cacert-new.pem -
> signkey private/cakey.pem
>
> - in my understanding, this command takes the old cert, changes the
> validity to four more years (1460 days), and generates the new cert
> signed with the same old private/cakey.pem - somewhat logically.


No, that command resigns the cert but all the identity and expiry info
is identical. You will need to create a fresh CSR with the same
identity info to get a new expiry.

> But: opposite to that, *I* would have used this command, as I did
> when creating the original (old) CA cert:
> openssl req -new -x509 -days 1460 -key private/cakey.pem -out
> cacert.pem
> - means to just create a new cert using the same old private/
> cakey.pem again.
>
> As I can see, the only difference would be that in the upper
> command, I probably don't have to enter the ASN1 DN credentials like
> CN/ST and so on again, since this would be taken from the old cert
> Am I correct here?


No. The first command just resigns the cert. Its expiry remains
unchanged. Use the second command and be sure to type exactly what
was on the old cert. Confirm with a -text. Test.


--Apple-Mail-1-440225847
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

-webkit-line-break: after-white-space; ">
On Mar 24, 2008, at =
9:28 AM, Andreas Grimmel wrote:
class=3D"Apple-interchange-newline">
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; ">I found this command somewhere in =
a forum:

openssl x509 -in cacert-old.pem -days 1460 -out =
cacert-new.pem -signkey private/cakey.pem

- in my =
understanding, this command takes the old cert, changes the validity to =
four more years (1460 days), and generates the new cert signed with the =
same old private/cakey.pem - somewhat logically. =

No, that command resigns the =
cert but all the identity and expiry info is identical.  You will =
need to create a fresh CSR with the same identity info to get a new =
expiry.

class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; ">But: opposite to that, *I* =
would have used this command, as I did when creating the original (old) =
CA cert:
openssl req -new -x509 -days 1460 -key =
private/cakey.pem -out cacert.pem
- means to just create a new cert =
using the same old private/cakey.pem again.

As I can see, the =
only difference would be that in the upper command, I probably don't =
have to enter the ASN1 DN credentials like CN/ST and so on again, since =
this would be taken from the old cert
Am I correct =
here?

No.  The first command =
just resigns the cert.  Its expiry remains unchanged.  Use the =
second command and be sure to type exactly what was on the old =
cert.  Confirm with a -text.  Test.

=

--Apple-Mail-1-440225847--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org