Re: How to Renew a Expired Self signed CA certificate
On Wed, Nov 2, 2011 at 7:53 AM, Nelson B wrote: > On 2011/10/30 23:26 PDT, mallapadi niranjan wrote: > > Hi all > > > > I would like to know how to renew a self singed CA (RootCA) certificate > > through certutil. > > [snip] > > In the case of SubCA's it seems to be fairly easy to renew the > Certificates > > by using the same Private key in the nss database by specifying the > > following option > > > > $certutil -d . -R -k "NSS Certificate DB:subCA" -s "cn=SubCA > > Authority,o=Example.COM" -a -o example.req2.txt > > Does that not also work for your root CA? It should. > > > But not sure how to proceed with RootCA getting expired. > > What's unclear? > > Use the -R option as you've described above to make a new request for the > root certificate. Then use -C to issue the new certificate from that > request, using the old root as the issuer. Since the old root and new > have the same public key, the new cert will be self-signed. > Thanks Nelson, I tried that earlier but somehow it failed , but i could do that using the below procedure: Create a self signed root CA: $certutil -S -d . -n "testca" -s "CN=rootca0,o=Example.com,c=US" -t "CT,," -x -2 -m -v 1 Create a server certificate $certutil -R -d . -s "CN=www.example.com,o=Example.com,C=US" -a -o example.req -v 12 Sign the Cert $certutil -C -d . -c "testca" -a -i example.req -o server.pem -2 -6 Create a new rootCA using same private key $certutil -d . -R -k "NSS Certificate DB:testca" -s "CN=rootca0,o=Example.com,c=US" -a -o rootca.req -m 0 -v 12 sign it with the old cert $certutil -C -d . -c "testca" -a -i rootca.req -t "CT,," -v 12 -o cacert.crt $certutil -L -d . -n testca The above command shows the old certificate and also the new certificate. Thanks Niranjan -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to Renew a Expired Self signed CA certificate
On 2011/10/30 23:26 PDT, mallapadi niranjan wrote: > Hi all > > I would like to know how to renew a self singed CA (RootCA) certificate > through certutil. [snip] > In the case of SubCA's it seems to be fairly easy to renew the Certificates > by using the same Private key in the nss database by specifying the > following option > > $certutil -d . -R -k "NSS Certificate DB:subCA" -s "cn=SubCA > Authority,o=Example.COM" -a -o example.req2.txt Does that not also work for your root CA? It should. > But not sure how to proceed with RootCA getting expired. What's unclear? Use the -R option as you've described above to make a new request for the root certificate. Then use -C to issue the new certificate from that request, using the old root as the issuer. Since the old root and new have the same public key, the new cert will be self-signed. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to Renew a Expired Self signed CA certificate
On Mon, Oct 31, 2011 at 11:56 AM, mallapadi niranjan < niranjan.as...@gmail.com> wrote: > Hi all > > I would like to know how to renew a self singed CA (RootCA) certificate > through certutil. > > I followed the below procedure to create a self signed CA cert. > > $certutil -N -d . > > $certutil -S -d . -n "testCA" -s "CN=testCA,O=Example.COM,C=US" -t "CT,," > -x -2 -m -v 1 -t "CT,," > > > > $certutil -L -d . -n testCA > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 0 (0x0) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=testCA,O=Example.COM,C=US" > Validity: > Not Before: Mon Oct 31 06:21:37 2011 > Not After : Thu Dec 01 06:21:37 2011 > Subject: "CN=testCA,O=Example.COM,C=US" > > > As you can see above the CA cert expires on Dec 01 2011, I would like to > know how to renew the above certificate > > In the case of SubCA's it seems to be fairly easy to renew the > Certificates by using the same Private key in the nss database by > specifying the > following option > > $certutil -d . -R -k "NSS Certificate DB:subCA" -s "cn=SubCA > Authority,o=Example.COM" -a -o example.req2.txt > > > But not sure how to proceed with RootCA getting expired. > > Any pointers on this would be helpful. > > Thanks > Niranjan > > > > > > Hi all Any pointers on the above would be helpful Thanks Niranjan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How to Renew a Expired Self signed CA certificate
Hi all I have created a self signed CA Certificate using the below procedure $certutil -S -d foo -n "testCA0" -s "CN=testCA0,o=Example,Inc.,C=IN" - t "CT,," -x -2 -m -v 1 -t "CT,," The above CA certificate expires in 1 month, I would like to know what is the procedure to renew the Certificate using the same private key or extend the validity period of the CA certificate , Thanks Niranjan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How to Renew a Expired Self signed CA certificate
Hi all I would like to know how to renew a self singed CA (RootCA) certificate through certutil. I followed the below procedure to create a self signed CA cert. $certutil -N -d . $certutil -S -d . -n "testCA" -s "CN=testCA,O=Example.COM,C=US" -t "CT,," -x -2 -m -v 1 -t "CT,," $certutil -L -d . -n testCA Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=testCA,O=Example.COM,C=US" Validity: Not Before: Mon Oct 31 06:21:37 2011 Not After : Thu Dec 01 06:21:37 2011 Subject: "CN=testCA,O=Example.COM,C=US" As you can see above the CA cert expires on Dec 01 2011, I would like to know how to renew the above certificate In the case of SubCA's it seems to be fairly easy to renew the Certificates by using the same Private key in the nss database by specifying the following option $certutil -d . -R -k "NSS Certificate DB:subCA" -s "cn=SubCA Authority,o=Example.COM" -a -o example.req2.txt But not sure how to proceed with RootCA getting expired. Any pointers on this would be helpful. Thanks Niranjan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
