Hello Ted, In our application we have requirement to introduce new option which allows customers to renew their certificates which was installed in it already.
We would like to find out whether the new certificate is really a renewal certificate of old one so that we can allow them to replace the old one with new one. So to find out the match we decided to use fields (Issuer Or subject) And Serial number. But when I used openssl to create renew certificate as in the steps I mentioned already I see that the subject can be altered and serial number is different. >From your mail I understand that other than public key, any field can be different or same based on the CA that customer uses. We have many customers across globe and they get their certificates signed and renewed by many CA in market. So my conclusion, is its up to us to decide now on choosing match fields. Let me know if I am missing something. Thanks Kamalraj On Tue, Jan 21, 2014 at 1:30 PM, Bernhard Fröhlich <t...@convey.de> wrote: > Ho there, > > from the technical perspective (which is the thing this list is concerned > with) a "renewed" certificate is a new certificate for the same keys as the > old one. No step of the three you list as necessary is necessary from the > openssl point of view, but may be required by your CA. > > The data contained in the "renewed" certificate, beside the public part of > the key, is completely up to the issuing CA and usually laid down in their > policies. > > So, you should address your questions to the CA you want to get your > certificates from. If you are implementing your own CA, you have to decide > what you want to do. > Or was your question about best practices when creating a CA policy? > > Hope this helps at least a bit, > Ted > ;) > > Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan: > > Hello guys, >> >> I would like to know whether my understanding about certificate renewal >> is correct or not. >> >> To renew the certificate: >> >> 1. we need to generate a new CSR from the private key >> 2. revoke the old certificate >> 3. get the new CSR signed by the CA with validity extended >> >> The fields that are common between old and new renewed certificate will >> be: >> >> 1. SKI >> 2. AKI >> 3. Issuer >> 4. Public Key >> >> The fields are not be common are: >> >> 1. subject (I see that while generating new CSR we can change the subject) >> 2. Serial number >> 3. Other fields >> >> Please share your inputs on this. >> >> Thanks >> Kamalraj >> > > > -- > PGP Public Key Information > Download complete Key from http://www.convey.de/ted/tedkey_convey.asc > Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
