0

Is there a way to reset the expiry of a self signed X.509 certificate but keep both the public and the private key as they were?

Technically this should be nothing more than a different date for the "Not After" tag and a fresh signature instead of the old. For CA signed certificates this is also very easy as you just have to send in the CSR again. But in this case I don't have any CSR available because the certificate was created with OpenSSL's req command in one step.

Another question would be: Will verifying clients which trusted this stand-alone certificate still think this is the same certificate and accept it?

aef
  • 1,745
  • 4
  • 25
  • 43

1 Answers1

2

Is there a way to reset the expiry of a self signed X.509 certificate but keep both the public and the private key as they were?

Yes, just sign the exact same certificate with a different "Not After" tag. However, not changing the serial number can cause problems for some browsers (and violates the specification).

Another question would be: Will verifying clients which trusted this stand-alone certificate still think this is the same certificate and accept it?

No, because it's not.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • Could you please provide an OpenSSL command to do it? I have big trouble finding out how its actually done. – aef Oct 20 '13 at 10:22
  • You just specify the `-x509` option to `req`. Use the `-key` option to specify the same private key. – David Schwartz Oct 20 '13 at 10:24
  • How do I load my pre-existing certificate into the command? It seems -in FILENAME expects a CSR. Is there a way to convert an existing certificate back to a CSR? I definitely do not want to create a different public key as multiple public keys published for one private key leads to easy factorization attacks at least in case of RSA. – aef Oct 20 '13 at 10:29
  • @aef You can create a CSR with the same public key. But you don't need to load your pre-existing certificate. Just specify the same key, common name, and so on. Use a different serial number. – David Schwartz Oct 20 '13 at 11:39