Renew SSL client certificates
Is it possible to extend the client certificate lifetime?
No this is not possible.
The client certificate has a certain validity date which can not be changed. The only possibility is to create a new certificate with a new validity date.
Do I have to reinstall the certificate on all clients or is there another way
You have no access to the certificates in the browser of your client from your server. What you can do is develop a webpage (authenticated with client certificates) that allows users to create a new certificate and import that into their browser.
On the Server side of this webpage, you can create a new certificate either with the same certificate request you used last year (a bit less secure) or create a new certificate request with the information you have about the user in your db. You can do this with openssl the same way you described in your post.
How do I renew / regenerate client certificates using openssl on linux
As I wrote in the previous question, you need to create a new certificate. You can do this using the certificate request you used last year or you create a new one (more secure but also more complex). Then you need to sign that request with the server key and export it into pkcs12.
I would stick with your current validy time (1 year), even if it is some trouble to renew the certificates. Because the longer the certificates are valid the bigger the change is, that some authorised user becomes unauthorised but still has a valid certificate.
Related videos on Youtube
Michel Feldheim
Updated on September 18, 2022Comments
-
Michel Feldheim over 1 year
For a internally used webbased software, which must be available from everywhere, I have created client certificates which are installed in the browsers of authorized consumers.
Now, with 2012 being over, all of them are expired and need a renewal. I've given out PKCS #12 certificates (.p12)
Here my questions
- Is it possible to extend the client certificate lifetime?
Do I have to reinstall the certificate on all clients or is there another way (e.g. centrally from the server, some kind of update mechanism maybe)?
How do I renew / regenerate client certificates using openssl on linux?
Because this might be of interest, here is how I created the browser certificates
# client private key openssl genrsa -des3 -out client.key 1024 # generate certificate signing request openssl req -new -key client.key -out client.csr # create certificate, sign with server key openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt # export into pkcs12 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
-
Michael Hampton over 11 yearsHow did you do it originally?
-
Michel Feldheim over 11 yearsgenerated csr for each client, created certs, signed them with my server key and exported them into a .p12 for the browser
-
Michel Feldheim over 11 yearsThank you. I like the idea with a web-based certificate generation tool. I'll implement this for next year before the new certificates are invalid.