This was a certificate authority certificate. As such, the renewal
has to have
the same key and DN as the original in order to continue being a CA
for previously signed certificates.
Jim
On Oct 17, 2007, at 5:54 PM, David Schwartz wrote:
It seems to me that the OP is indeed asking something else entirely
different from the question which you yourself seem to have posed and
then immediately failed to answer. He's asking
"Is it possible to extend the expiry of this certificate without
changing any other fields in the certificate?"
to which it seems that the answer is
"Yes",
How could the answer be anything other than yes? Could there be some
mysterious force that compels you to change other fields?
Or you can argue that the answer is "no", since you have to at
least change
the signature and you pretty much have to change the serial number.
And the OP replies:
Yes. Thats what I was trying to ask. So, how can I change the
expiry date of an existing certificate without changing any
other field ? Is there any openssl command that I may use ?
Did you not read or understand my answer? There is no difference
between
changing the date on the old certificate and issuing a new
certificate. If
you know how to issue a new certificate, you know how to change the
date on
an existing one because THERE IS NO DIFFERENCE BETWEEN THESE TWO
THINGS
other than philsophical differences.
If you issue a new certificate that is the same as the old except
for the
serial number, how will anyone know you didn't just change the
serial number
on the old one? Will they somehow be the same bits and not new bits?
IT MAKES NO DIFFERENCE. The question, as asked, is purely
philosophical.
Just issue a new certificate the same way you issued the original one,
changing only the expiration date (and the signature, if you want).
Tell
everyone you changed the expiration date on the original, they
won't be able
to tell that you're lying.
If you don't know how to or can't issue a new certificate with a new
expiration date, then you can't change the expiration date on the
old one
either. Why? BECAUSE THEY'RE THE SAME THING. They're just two
different ways
of saying the same thing.
If your driver's license expires, you can change the expiration
date on the
license and reprint it. Or you can get a new license with a new
expiration
date. The difference is -- wait for it -- nothing at all. It's the
same
thing. The same procedure to "issue a new license with a new
expiration
date" can be said to "reissue the original license with a new
expiration
date". The only thing that makes it "new" or "reissued" is the
difference
between the two licenses which is just the expiration date!
Sorry if this sounds like insane ranting. I'm really trying to be
helpful,
but it seems like it didn't sink in the first time.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
