Tuesday, February 28, 2012

How to Renew Certificate with OpenSSL

SSL certificates are valid for certain period of time, usually 365 days. If you are using self signed certificates at some point of time you will need renew them, otherwise services that utilize them "unexpectedly" stop working. That actually greatly depends on client configuration, so if client demand valid server certificate it will not proceed any further.

Suppose your certificate private key (original request) is in file my-key.pem and signed certificate in my-cert.pem.

Validate Certificate

Validate certificate by issuing the following command:
openssl verify my-cert.pem
Here is a sample output of checking valid cerificate:
my-cert.pem: OK
Expired:
my-cert.pem: ...
error 10 at 0 depth lookup:certificate has expired
OK
If verification of certificate shows it expired, you need renew it.

Renew Certificate

Renewal of expired certificate consists of two steps: revoke old one, sign certificate request.
  1. Revoke expired certificate (you will be asked for Certificate Authority password):
    ca1:~/ca# openssl ca -revoke my-cert.pem 
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Revoking Certificate EFDAF4493BC3D5BB.
    Data Base Updated
    
  2. Rename you certificate key (request) file to newreq.pem.
    ca1:~/ca# mv my-key.pem newreq.pem
    ca1:~/ca# /usr/lib/ssl/misc/CA.sh -sign
    ...
    Signed certificate is in newcert.pem
    
At this point renewed certificate is in newcert.pem.

Troubleshooting

If you get error like this one below:
failed to update database
TXT_DB error number 2
You must revoke previous certificate from CA database.

1 comment :

  1. Thank you, Andriy!

    Concise information.
    Just encountered some outdated certs and fixed that in a blink using your HOWTO.

    ReplyDelete