Re: Extend SSL Certificate

Sun, 09 Mar 2014 08:56:17 -0700 

On 09.03.2014 14:39, Michael Post wrote:

last year i created my keys, certs and so on with the following steps
for an openvpn server:
the only certificate that is still valid is your self signed ca certificate; 
##### Serverside ########

openssl req -new -x509 -newkey rsa:2048 -keyout ssl_priv.pem -out
ca_cert.pem -days 3650 -config ./openssl.conf

openssl x509 -in ca_cert.pem -out ca_cert.crt


ca_cert.pem and ca_cert.crt are the same, both are in PEM format;

openssl x509 -inform PEM -in ca_cert.pem -outform DER -out ca_cert.crt
would convert it from PEM to DER format;


openssl genrsa -out serverkey.pem -aes128 2048 -days 3650 -config
./openssl.conf

openssl req -new -key serverkey.pem -out req.pem -nodes -config
./openssl.conf

openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in req.pem -notext
- -out servercert.pem -config ./openssl.conf
your openssl.cnf has the setting, for how many days the certificates are valid; the 
-days 3650 from above's key generation step is ignored;



And today my certificate is invalid, cause due an "error" the
servercert.pem is only valid 365 days. It should be 3650 days.


##### Serverside created, but copied to every client ########

With the following commands i created the client certificates and keys

openssl req -new -keyout clients/client-key-XXXXX.pem -out
clients/client-req-XXX.pem -days 365 -config ./openssl.conf
why do you add the -days option, when generating the private key or cert. request and not when signing the request? 
openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in
clients/client-req-XXX.pem -notext -out client-cert-XXX.pem -outdir
clients -config ./openssl.conf
mv client-*.pem clients/


The Client certificates are also invalid due the same lack of my scripts.

The clients are not accessable per remote maintenance cause they are
umts clients with non static ip.

Is there any possibility to extend the certificates, keys and so on
server-side WITHOUT any change at client-side?
not really; every certificate got invalid; so every certificate must be renwed; 
you can use the same private key and certificate request for this;
but without any change at client-side it will not work;

Greetings,
Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to