[openssl-users] question about resigning a certificate

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Sun Mar 22 22:05:30 UTC 2015


Is this the right mailing list to ask this question ?

Can somebody suggest a better ML


From: Alex Samad - Yieldbroker
Sent: Wednesday, 18 March 2015 2:21 PM
To: openssl-users at openssl.org
Subject: RE: [openssl-users] question about resigning a certificate


I have done that and compared the output with diff

The only differences are
Serial number
Signature algo


From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jakob Bohm
Sent: Wednesday, 18 March 2015 6:50 AM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: Re: [openssl-users] question about resigning a certificate

On 16/03/2015 02:46, Alex Samad - Yieldbroker wrote:


I had a sha1 signed CA and I issued other  identity and CA certificates from this CA.

With the deprecation of sha1 coming, I resigned my original CA (self signed) as sha512, with the same creation and expiry dates. I believe the only thing changed was the signature and serial number.

But when I go to verify older certs that were signed by the original CA (the sha1 signed one), they are no longer valid.

I thought if I used the same private and public key I should be okay. I thought the only relevant issue was the issuer field and that the CA keys where the same . Was I wrong.

Run openssl x509 -noout -text -in OneOfYourIssuedCerts.pem | more

Look at what aspects of your CA are mentioned.  For example,
does it include the "X509v3 Authority Key Identifier"
extension, and if so, which fields from the CA cert are




Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com

Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10

This public discussion message is non-binding and may contain errors.

WiseMo - Remote Service Management for PCs, Phones and Embedded
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150322/4f0c0cdb/attachment-0001.html>

More information about the openssl-users mailing list