This is a multi-part message in MIME format.
--------------090308090304050705080001
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Well again folks, thanks once more for your comprehensive help.

Larry Bugbee schrieb:
> On Mar 24, 2008, at 9:28 AM, Andreas Grimmel wrote:
>> I found this command somewhere in a forum:
>>
>> openssl x509 -in cacert-old.pem -days 1460 -out cacert-new.pem
>> -signkey private/cakey.pem
>>
>> - in my understanding, this command takes the old cert, changes the
>> validity to four more years (1460 days), and generates the new cert
>> signed with the same old private/cakey.pem - somewhat logically.

>
> No, that command resigns the cert but all the identity and expiry info
> is identical. You will need to create a fresh CSR with the same
> identity info to get a new expiry.
>
>> But: opposite to that, *I* would have used this command, as I did
>> when creating the original (old) CA cert:
>> openssl req -new -x509 -days 1460 -key private/cakey.pem -out cacert.pem
>> - means to just create a new cert using the same old
>> private/cakey.pem again.
>>
>> As I can see, the only difference would be that in the upper command,
>> I probably don't have to enter the ASN1 DN credentials like CN/ST and
>> so on again, since this would be taken from the old cert
>> Am I correct here?

>
> No. The first command just resigns the cert. Its expiry remains
> unchanged. Use the second command and be sure to type exactly what
> was on the old cert. Confirm with a -text. Test.
>



--------------090308090304050705080001
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit








Well again folks, thanks once more for your comprehensive help.



Larry Bugbee schrieb:
type="cite">
On Mar 24, 2008, at 9:28 AM, Andreas Grimmel wrote: class="Apple-interchange-newline">
style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">I
found this command somewhere in a forum:



openssl x509 -in cacert-old.pem -days 1460 -out cacert-new.pem
-signkey private/cakey.pem



- in my understanding, this command takes the old cert,
changes the validity to four more years (1460 days), and generates the
new cert signed with the same old private/cakey.pem - somewhat
logically.




No, that command resigns the cert but all the identity and
expiry info is identical.  You will need to create a fresh CSR with the
same identity info to get a new expiry.



style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">But: opposite
to that, *I* would have used this command, as I did when creating the
original (old) CA cert:

openssl req -new -x509 -days 1460 -key private/cakey.pem -out cacert.pem

- means to just create a new cert using the same old private/cakey.pem
again.



As I can see, the only difference would be that in the upper command, I
probably don't have to enter the ASN1 DN credentials like CN/ST and so
on again, since this would be taken from the old cert

Am I correct here?




No.  The first command just resigns the cert.  Its expiry
remains unchanged.  Use the second command and be sure to type exactly
what was on the old cert.  Confirm with a -text.  Test.









--------------090308090304050705080001--

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org