The best way is to have the unique_subject = no, and then allow for the download and installation of the new cert. Once that's done, revoke the old one.
As for why it's not the default, it's because there are other applications besides just web server certification that require additional security measures, and it's better for the default to err on the side of caution than unwittingly open windows of vulnerability. -Kyle H On 3/2/06, Brian Candler <[EMAIL PROTECTED]> wrote: > Using openssl as a CA, I'm wondering what the best way is to renew a > certificate without first revoking the previous one. Revoking the previous > one would leave a window of vulnerability where a machine may be trying to > use the old certificate, as it hasn't yet downloaded the new one, but other > machines who have picked up the latest CRL will refuse to communicate with > it. > > To demonstrate: > > $ ./CA.sh -newca > $ openssl genrsa -des3 -out server.key 1024 > $ openssl req -new -key server.key -out server.csr > $ openssl ca -policy policy_anything -out server.crt -infiles server.csr > ... > Certificate Details: > Serial Number: 1 (0x1) > Validity > Not Before: Mar 2 12:51:16 2006 GMT > Not After : Mar 2 12:51:16 2007 GMT > ... > Sign the certificate? [y/n]:y > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > All very well so far. Now I want to refresh the certificate, issuing a new > one with a later expiry date. Nothing in the CSR will have changed (in > particular I'm assuming the endpoint will be using the same private key), so > I just try to re-sign the same CSR: > > $ openssl ca -policy policy_anything -out server.crt -infiles server.csr > Certificate Details: > Serial Number: 2 (0x2) > Validity > Not Before: Mar 2 12:52:17 2006 GMT > Not After : Mar 2 12:52:17 2007 GMT > ... > Sign the certificate? [y/n]:y > failed to update database > > Now, I notice the constraint in index.txt.attr: > > unique_subject = yes > > If I set this to 'no', I can have both certificates active at once. Is this > the recommended way to allow for certificate renewal (in which case, why > isn't it the default)? Or is there something else I'm missing? > index.txt.attr is not mentioned in the ca manpage AFAICS. > > index.txt doesn't seem to include the public key, so I imagine it's unable > to distinguish between "re-issuing a certificate to the same endpoint" (OK) > and "issuing a certificate to a different endpoint but with a conflicting > subject" (not OK) > > Thanks, > > Brian. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
