SSL question

linuxperson
linuxperson used Ask the Experts™
on
nis02:/etc/ssl/certs # openssl x509 -noout -in YaST-CA.pem -dates
notBefore=Jun 19 03:42:53 2015 GMT
notAfter=Jun 16 03:42:53 2025 GMT

I want to expire this cert today. What is the right command?

so i can delete this cert after.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave HoweSoftware and Hardware Engineer

Commented:
you can't. the cert was issued with those dates, if you issue a new cert with the new dates, it will have no effect on the prior cert.

if you wish to *revoke* a cert, that's a different function; however, a CA cert can't be revoked (as it isn't signed by anything higher to revoke it with)

Author

Commented:
I changed the hostname on the server and IP address.

what i need to do with the CA cert since these information are different from the time the CA cert was created.
Dave HoweSoftware and Hardware Engineer

Commented:
ok. so what you need to issue is a new end node cert, not a new CA cert. the way it works is that the CA is a self-signed cert that never changes, and the server cert (if I recall, literally called servercert.pem) can be updated to reflect the new name and IP.  take a look at the yast screens at https://www.suse.com/documentation/sles11/book_security/data/sec_security_yast_ca_module.html and in particular, the section 17.2.4 (creating or revoking user certificates) - this can be used to issue a new user (server) certificate for your webserver, ldap etc.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I installed SUSE 11 SP3 and converted to template.  from the template i created a new VM called ldap01.example.com, template had CA and Server cert.  now for new VM ldap01.example.com, can i use existing CA cert and create new server cert?  

I was under impression I have recreate both CA and Server cert for this VM.
Dave HoweSoftware and Hardware Engineer

Commented:
no. you keep the CA cert (which won't run out for a decade or so :D) and issue new server certs. In fact, you can use ONE CA to issue all the server certs on your network, that way you only need to import the CA into browsers and stuff once, instead of importing multiple CAs.

Author

Commented:
If I am right, i keep the same CA but create a new server cert.

when i export i should be exporting the server cert right.
Software and Hardware Engineer
Commented:
yes. you don't need to export the CA cert, as that doesn't change.

private key must match the server cert of course - so if a new key is generated, you should export that too.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial