Re: smime certificates

Mon, 15 Nov 2004 03:35:24 -0800 

[EMAIL PROTECTED] wrote:

I have been trying to renew a certificate geterated for signing emails.
The renew goes ok. first revoke old one then resign req with new end date
etc. and I can use the new certificate ok.

However if I try and open an "old" email sent from home using my old
certificate to sign it - I can't Outlook can't find the private key for
the message. But if I put the expired certificate back on my windows box
it does find it and all is well.

Does this mean to open old email I allways need to leave my expired certs
on the PC, or Have I not managed to re-sign the certificate properly? Or
is this just the way it works?

I have investigated; and the new certificate has a different serial number
to the old one, if I "fidle" the certifate number and for openssl to
re-sign the certificate with the same serial number - it works! But I am
sure you are not suposed to do this!

Anyone any ideas, suggestions?

DEREK
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]


I'm afraid that this is "just the way it works".

One think should be obvious: The private keys have to be available to read old mails, since otherwise the old mails had to be re-encrypted with the new private key.

I'm not sure how you do a "renew" with Outlook. The implementations I've seen always generate a new private key and a new certification request if the old cert is expired. If you're working manually with openssl it is possible to generate a new certificate request for the same private key, but this new certificate is different from the old one. As you noticed the serial number, as well as the "Not before"- and "Not after"-Fields are modified, since the certificate in fact must be a new one (even if the private keys are the same). So I can imagine that Outlook cannot match the new certificate with the old mail even if it has the same public keys. Anyone who knows better please correct me.

Hope it helps,
Ted
;)

--
PGP Version: 2.6.3i Public Key Information
Download complete Key from ftp://ftp.convey.de/ted/tedkey.asc
Key fingerprint = 26 A9 0C 25 60 15 2C B2  D0 F3 A2 31 3D 35 F3 95



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature

Reply via email to