Thursday, July 4, 2013

Replacing self-signed expired certificates using OpenSSL tool

I just realized that one of the certificates I use was expired and OpenVPN didn't want to connect to a server for that reason. So, it was time to generate new certificate/key pair. That's easy, using CA.pl script, part of openssl-perl package. Just do the following sequence of steps:
./CA.pl -newreq-nodes./CA.pl -sign
But the second command didn't work and I was getting the following error messsage:
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
Signed certificate is in newcert.pem
Quick search revealed that I'm trying to issue new certificate that has the same name as the existing one, even though the existing one was expired. There are multiple solutions to this, as documented in the comment of the blog post I found. But the real solution is to revoke expired certificate, and then to sign a new one (note that you don't have to generate another CSR):
ca -config openssl.cnf -revoke oldcert.crt -keyfile cakey.pem -cert cacert.pem
Note that the revocation doesn't mean you have to have OCSP or CSR. Now, old certificate is revoked and you can sign a new one.

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)