[openssl-users] Properly manage CA-signed certificates that have expired

Jakob Bohm jb-openssl at wisemo.com
Thu Mar 31 16:09:16 UTC 2016

On 31/03/2016 17:16, warron.french wrote:
> Hello, I had to build a Certificate Authority (CA) server for an 
> isolated network (I know, it seems silly).
> Anyway, I figured out how to create the CA service doing a self-signed 
> certificate that will expire in 9 years, because it was a 10-year 
> certificate of which 9 years remains available.
> I then created separate TLS keys and CSRs and had them signed by the 
> CA server.
> The 2 certificates for the "servers" (its actually all the same 1 
> server with different DNS-A-Record resolvable names) worked perfectly 
> for the past 1 year; but I was kept busy working on other tasks; so 
> this isolated network got neglected.  The two (2) certificates for the 
> servers expired last month.
> I documented how to build the CA, how to create the CSRs and get them 
> signed; but I didn't know how to write the documentation for 
> maintaining any certificates once they expired.
> I want to properly, and gracefully, manage the CA server to do 
> whatever is appropriate.
> I believe, but do not know for sure, that what I want to do is:
> 1.  Revoke the expired certificates (maybe that is not necessary or 
> appropriate?)

Not needed, only do this if the old private key compromised.
> 2.  Clean up the CA database (with the openssl ca -updatedb command?)
Not needed (I think, never used that command).
> 3.  Then create new server certificates for the 2 servers again.
Yep, and give the new ones a slightly different "full"
distinguished name (important for CRL and "ca" database).
My approach is to include the year-month as an extra OU e.g.


(This of cause need to be input when generating the new keys
and requests, then checked when signing them).

You should also set up a CRL generation and renewal process,
so you can revoke any compromised keys and tell the clients.
This would require logging on to the CA once a month to sign
an (updated but unchanged) CRL and copy it to some http or
ldap URL on the isolated network.  Professional CAs do this
daily, but that's too much work for a tiny company CA.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160331/3836eec0/attachment.html>

More information about the openssl-users mailing list