Franck Martin wrote: > > I'm writing an SSL Certificate HOWTO, that I will submit to the LDP. [...] > I want to know the procedure to renew a certificate with OpenSSL. It seems > there is a bug in openSSL has it does not want to sign again a request > certificate if the DN is already inside the Certifcate Database.
AFAIK this is not a bug but a feature (?). This prevents from having
more valid ceritificates with the same DN. This should be avoided as reported
in RFCs, anyway it is a common practice in most PKIs.
To renew a certificate you'll have either to:
1. Revoke it before issuing the new certificate;
2. Hacking the index.txt file changing the status of the
certificate from 'V' to 'E' and adding a valid expiration
date;
However keep in mind that certificate renewal (issuing a new certificate to
the same subject using the same key) should be discouraged as its lifetime
(key's one) should be considered ended with the expiration of the certificate
(or you could have issued the certificate with a longer validity period,
don't you think ?), at least to me.
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
