On Wed, Oct 17, 2007 at 12:43:03PM -0700, Jim Fox wrote:
>
> >I have a private CA certificate created using openssl command line. The
> >issue is that the certificate expires on 19th Oct, 2007. The question is
> >that "Is it possible to extend the expiry of this certificate without
> >changing any other fields in the certificate?" Basically, I want to
> >continue
> >using this CA Cert to sign end-user certs for a longer time.
> >Any help will be appreciated. Thanks.
> >
>
> Use the same key and the same DN and the cert will continue
> to act as a valid CA for any other certs you have signed.
Also the same serial number and authority identifier in v3 extensions
if present in the expiring CA cert, for example:
...
Serial Number:
c5:30:80:16:44:78:d9:12
...
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40
X509v3 Authority Key Identifier:
keyid:F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40
DirName:<CA DN>
serial:C5:30:80:16:44:78:D9:12
...
If any of this information changes, certificates will fail verification.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
