OpenSSL "ca" - Sign the CSR Again

Q

How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years.

✍: FYIcenter.com

A

If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again correctly.

The following test shows you how to sign a CSR again after revoke the certificate from the first signing:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt
   -policy policy_anything
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
...
Certificate is to be certified until Jul 31 23:40:49 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenSSL> ca -revoke test.crt -keyfile my_ca.key -cert my_ca.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Revoking Certificate 1002.
Data Base Updated

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt 
   -policy policy_anything -days 730
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4099 (0x1003)
...
        Certificate is to be certified until Jul 31 23:45:22 2018 GMT (730 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenSSL> exit

C:\Users\fyicenter>type demoCA\index.txt
...
R       170901014049Z   160901014346Z   1002    unknown /C=US/ST=NY/L=NY
   /O=FYIcenter.com/CN=www.fyicenter.com/emailAddress=joe@fyicenter.com
V       180901014522Z           1003    unknown /C=US/ST=NY/L=NY
   /O=FYIcenter.com/CN=www.fyicenter.com/emailAddress=joe@fyicenter.com

⇒ OpenSSL "ca" - "error while loading CRL number"

⇐ OpenSSL "ca -revoke" - Revoke a Certificate

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 1686👍, 0💬

OpenSSL "ca" - "error while loading CRL number"
Why I am getting the "error while loading CRL number" error when running OpenSSL "ca -gencrl" command? If you are running the OpenSSL "ca -gencrl" command installed with the slproweb binary package for Windows, you may get the "error while loading CRL number" error as shown below: C:\Users\fyicenter... 2016-09-10, 5404👍, 0💬

OpenSSL "ca -gencrl" - Generate CRL
How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked. If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 5140👍, 0💬

OpenSSL "ca" Error "stateOrProvinceName field needed to be the same"
Why I am getting the "The stateOrProvinceName field needed to be the same in the CA certificate (...) and the request (...)" error when running OpenSSL "ca" command? If you are running the OpenSSL "ca" command installed with the slproweb binary package for Windows, you may get the "The stateOrProvin... 2016-09-13, 3860👍, 0💬

OpenSSL "crl -text" - View CRL in Test Format
How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL. If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 3456👍, 0💬

OpenSSL "ca -revoke" - Revoke a Certificate
How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed. If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificat... 2016-09-10, 3420👍, 0💬

OpenSSL "ca -selfsign" - Self Sign CSR
How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command? You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key. But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR... 2016-09-09, 2053👍, 0💬

OpenSSL "ca" - Sign CSR with CA Certificate
How to sign a CSR with my CA certificate and private key using OpenSSL "ca" command? I think my configuration file has all the settings for the "ca" command. If you have you configuration file ready and all the required directories and files created, you can sign a CSR with your CA certificate and p... 2016-09-13, 1702👍, 0💬

OpenSSL "ca" - Sign the CSR Again
How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c... 2016-09-10, 1687👍, 0💬

OpenSSL "ca -config" - Using Configuration File
Can I use my own configuration file when running "ca" command? Yes, you can specify your own configuration file using the "-config file" option when running the "ca" command. OpenSSL configuration file allows you to control the behavior of the "ca" command with the following options: certificate - T... 2016-09-09, 1524👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.