How can I renew my certificate authority signing key?

Solution 1

How can I renew my certificate authority signing key?

You have two issues to contend with. First is the continuity of end-entity (server and user) certificates. Second is the changing of the Root CA.

Is there a way I can simply create a new ca.crt file with a longer expiry date?

Yes, but see the details below.

The first issue, continuity of end-entity (server and user) certificates, is mostly resolved by using the same public key when you roll over your Root CA.

The new self-signed Root CA will still need to be installed into the relevant trust stores, but the key continuity means the end-entity certificates will not need to be re-issued. If you use a new public key for the Root CA, then you will need to reissue all of the end-entity certificates.

The second issue, rolling over the Root CA, must happen because its expired. This is the same problem as re-certifying a Root CA because the hash is changed from SHA-1 to SHA-256 to comply with CA/Browser Baseline Requirements. A number of CAs have done this in real life.

The impact of the rollover can be lessened by using the same public key. This will also help with enhanced security controls, like pinning a CA's public key. If the CA certificate is pinned (as opposed to the public key), then it will create a lot of extraneous noise in tools like Cert Patrol.

To roll over the CA, you need to create an "equivalent" Root CA certificate (or as close to equivalent as can be). The way user agents uniquely identify a certificate is outlined in RFC 4158, Internet X.509 Public Key Infrastructure: Certification Path Building.

The short of RFC 4158 is the pair {Subject Distinguished Name, Serial Number} can be used to uniquely identify a certificate in a store. As a CA or Issuer, you are supposed to ensure serial numbers are unique, even if you re-certify.

End-entity certificates have additional ways to be uniquely identified, including the Authority Key Identifier (AKID). In fact, a server's certificate can use a hash of the Issuer's {Subject Distinguished Name, Serial Number} as its AKID (if I recall correctly).

You seem to have figured out how to create a self signed CA certificate, so I won't discuss the OpenSSL commands.

The real problems occur when your public/private key pairs are compromised. You can't roll over your CA under the existing public key, so you have to issue a new Root CA certificate and re-issue all end-entity certificates.

To recap, here are you actionable items:

• Use same public key for CA
• Use same Distinguished Name for CA
• Use new Serial Number for CA
• Install newly issued CA on all client machines
• Do not re-issue end-entity certificates

Solution 2

According to https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal the following sequence should work:

openssl req -new -key key/ca.key -out key/newca.csr
openssl x509 -req -days 3650 -in key/newca.csr -signkey key/ca.key -out crt/newca.crt

Related videos on Youtube

08 : 35

Renewing Certificates - External Certificate Authority

Educate

147

15 : 48

Issuing CA Certificate Renewal

chdelay

90

05 : 46

How to Renew your IOS Distribution Or Development Certificate on Apple

Just Another Dang How To Channel

34

07 : 12

Renewing Certificates - Internal Certificate Authority

Educate

1

02 : 57

How can I renew my certificate authority signing key? (2 Solutions!!)

Roel Van de Paar

0

Author by

Chris

Oh Captain, My Captain: "No matter what anybody tells you, words and ideas can change the world."

Updated on September 18, 2022