[openssl-users] question about resigning a certificate

Jakob Bohm jb-openssl at wisemo.com
Mon Mar 23 06:33:31 UTC 2015 

(Resending because I accidentally sent this
reply from the wrong addresslast week, and
yes, this is the correct mailing list).

No, don't dump the CA certificate.  Dump one
of the *old* *issued*certificates.

There is nothing to diff against, you need to
see in what ways the *old**issued*
certificates referred to the *old* CA
certificate, and then makesure those values
remain the same in the new CA certificate.

On 18/03/2015 04:20, Alex Samad - Yieldbroker wrote:
>
> Hi
>
> I have done that and compared the output with diff
>
> The only differences are
>
> Serial number
>
> Signature algo
>
> Comment
>
> Signature.
>
> Alex
>
> *From:*openssl-users [mailto:openssl-users-bounces at openssl.org] *On 
> Behalf Of *Jakob Bohm
> *Sent:* Wednesday, 18 March 2015 6:50 AM
> *To:* openssl-users at openssl.org
> *Subject:* Re: [openssl-users] question about resigning a certificate
>
> On 16/03/2015 02:46, Alex Samad - Yieldbroker wrote:
>
>     Hi
>
>       
>
>     I had a sha1 signed CA and I issued other  identity and CA certificates from this CA.
>
>       
>
>     With the deprecation of sha1 coming, I resigned my original CA (self signed) as sha512, with the same creation and expiry dates. I believe the only thing changed was the signature and serial number.
>
>       
>
>     But when I go to verify older certs that were signed by the original CA (the sha1 signed one), they are no longer valid.
>
>       
>
>     I thought if I used the same private and public key I should be okay. I thought the only relevant issue was the issuer field and that the CA keys where the same . Was I wrong.
>
>       
>
>     Alex
>
> Run openssl x509 -noout -text -in OneOfYourIssuedCerts.pem | more
>
> Look at what aspects of your CA are mentioned.  For example,
> does it include the "X509v3 Authority Key Identifier"
> extension, and if so, which fields from the CA cert are
> included?
>



Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list