OpenSSL "ca" - Sign the CSR Again

Q

How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years.

✍: FYIcenter.com

A

If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again correctly.

The following test shows you how to sign a CSR again after revoke the certificate from the first signing:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt
   -policy policy_anything
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
...
Certificate is to be certified until Jul 31 23:40:49 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenSSL> ca -revoke test.crt -keyfile my_ca.key -cert my_ca.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Revoking Certificate 1002.
Data Base Updated

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt 
   -policy policy_anything -days 730
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4099 (0x1003)
...
        Certificate is to be certified until Jul 31 23:45:22 2018 GMT (730 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenSSL> exit

C:\Users\fyicenter>type demoCA\index.txt
...
R       170901014049Z   160901014346Z   1002    unknown /C=US/ST=NY/L=NY
   /O=FYIcenter.com/CN=www.fyicenter.com/emailAddress=joe@fyicenter.com
V       180901014522Z           1003    unknown /C=US/ST=NY/L=NY
   /O=FYIcenter.com/CN=www.fyicenter.com/emailAddress=joe@fyicenter.com

 

OpenSSL "ca" - "error while loading CRL number"

OpenSSL "ca -revoke" - Revoke a Certificate

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-10, 1116👍, 0💬