Le 28/08/2009 02:57, Patrick Patterson a écrit :
Jehan PROCACCIA wrote:
Le 26/08/2009 22:16, Patrick Patterson a écrit :
Hi there:
Ok, then in my case $PREFIX is it_root_ca.crt (PKI public cert) and
$CAPREFIX it_root_ca.key (PKI private key) .
but here's what I get :
[pkiitr...@localhost ~/New_IT_ROOT_CA/pki/ca]
$ openssl x509 -set_serial 01 -clrext -extfile openssl.cnf -days 3650
-CA it_root_ca.key -CAkey it_root_ca.key -in it_root_ca.crt -out
it_root_ca2.crt
The simplest way to do this is:
openssl x509 -signkey it_root_ca.key -in it_root_ca.crt -clrext -out
it_root_ca2.pem -days 3650 -set_serial 01 -extfile openssl.cnf
-extensions
your_new_ca_extensions
Now, what are the contents of your openssl.cnf:
You SHOULD (for a Root CA) have a section something similar to:
[your_new_ca_extensions]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
That's it, that's all.
OK, I use both of the command I've been given, and now it works :-)
openssl x509 -signkey ca.key -set_serial $SERIAL -clrext -extfile
opensslIT.cnf -extensions v3_ca -days 5475 -in ca.crt -out
new_it_root_ca6.crt
or
openssl x509 -set_serial $SERIAL -clrext -extfile openssl.cnf -days 5475
-CA
it_root_ca.crt -CAkey it_root_ca.key -in it_root_ca.crt -out
it_root_ca4.crt
My new root CA is at
http://www.it-sudparis.eu/pki/IT_MASTER_CA/newitrootca.crt
But, now I start to configure an http server reading that new Root CA,
but apparently a browser going to
https://svnext.it-sudparis.eu/ still shows in the "details" tab, the
Root CA (class1) as the "old" one !?
Here's the relevant httpd ssl.conf directives
SSLCertificateFile /etc/pki/tls/certs/svnext.pem
SSLCertificateKeyFile /etc/pki/tls/private/svnext.key
SSLCertificateChainFile
/etc/pki/tls/certs/new_ca-chain-institut-telecom.crt
SSLCACertificateFile /etc/pki/tls/certs/newitrootca.crt
( cat evry_ca.crt ; cat itca.crt ; cat newitrootca.crt )>
new_ca-chain-institut-telecom.crt
I can check old root CA and New root Ca based on "not after" dates for
exemple:
in the Browser, not after reads
(04/02/2023 16:48:16 GMT)
although it should read
[r...@svnext /etc/pki/tls/certs]
$ openssl x509 -in newitrootca.crt -text | grep "Not After"
Not After : Aug 23 09:37:00 2024 GMT
I wonder if browsers do read root CA from SSLCACertificateFile or if the
deduce it from SSLCertificateFile /etc/pki/tls/certs/svnext.pem !?
in that case it means that I will have to re-sign all my servers :-( ?
Did you replace the root CA certificate on your client with the new one?
Also, did you replace your root CA certificate on the server with the
new one?
Now I removed all my mozilla (firefox, seamonkey ) profiles on my test
client
that's what you mean by "replacing root CA certificate on your client " ?
since I erased profiles (and hence stored ca and servers certificates) now
going to https://svnext.it-sudparis.eu/ shows me the svnext server
certificate,
but when I go to the "details" tab on firefox (add exeption ...) I now
see a only 2 level CA hierarchie !?
IT_CA (level2) -> Evry_CA (tmsp level3) then the svnext cert, but no
trace of IT_ROOT_CA (level1) :-( .
Indeed openssl s_client test shows me
[proca...@anaconda ~]
$ openssl s_client -host svnext.it-sudparis.eu -port 443 -CAfile
/etc/pki/tls/certs/newitrootca.crt -showcerts
CONNECTED(00000003)
depth=2 /CN=Institut TELECOM class2 Certificate Authority/OU=Institut
TELECOM/O=Institut TELECOM/C=fr
verify error:num=20:unable to get local issuer certificate
verify return:0
It seems that the Class2 (level2) certificate doesn' recognizes my new
Class1 (level1) .
Do I have to "re-sign" level2 (IT_CA), and then I supose level3
(Evry_CA) , in order to reconstruch a correct chain ?
Re-sign those two intermediate CA could be OK, but all the purpose of
that thread was not to re-sign my hundreds of servers below level3 CA !.
could you confirm me that .
Regards .
PS: my svnext ssl.conf:
SSLCertificateChainFile /etc/pki/tls/certs/new_ca-chain-institut-telecom.crt
SSLCACertificateFile /etc/pki/tls/certs/newitrootca.crt
SSLCertificateFile /etc/pki/tls/certs/svnext.pem
SSLCertificateKeyFile /etc/pki/tls/private/svnext.key
Until you do this, all of your clients will continue to use the old
client. Also, for those few clients that actually chase AIA, you have to
replace the root CA certificate with the new one at the original URL.
what means AIA ?
