Avatar of linuxperson
Flag for Canada asked on

SSL question

nis02:/etc/ssl/certs # openssl x509 -noout -in YaST-CA.pem -dates
notBefore=Jun 19 03:42:53 2015 GMT
notAfter=Jun 16 03:42:53 2025 GMT

I want to expire this cert today. What is the right command?

so i can delete this cert after.
SSL / HTTPSLinuxLinux Security

Avatar of undefined
Last Comment
Dave Howe

8/22/2022 - Mon
Dave Howe

you can't. the cert was issued with those dates, if you issue a new cert with the new dates, it will have no effect on the prior cert.

if you wish to *revoke* a cert, that's a different function; however, a CA cert can't be revoked (as it isn't signed by anything higher to revoke it with)

I changed the hostname on the server and IP address.

what i need to do with the CA cert since these information are different from the time the CA cert was created.
Dave Howe

ok. so what you need to issue is a new end node cert, not a new CA cert. the way it works is that the CA is a self-signed cert that never changes, and the server cert (if I recall, literally called servercert.pem) can be updated to reflect the new name and IP.  take a look at the yast screens at https://www.suse.com/documentation/sles11/book_security/data/sec_security_yast_ca_module.html and in particular, the section 17.2.4 (creating or revoking user certificates) - this can be used to issue a new user (server) certificate for your webserver, ldap etc.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

I installed SUSE 11 SP3 and converted to template.  from the template i created a new VM called ldap01.example.com, template had CA and Server cert.  now for new VM ldap01.example.com, can i use existing CA cert and create new server cert?  

I was under impression I have recreate both CA and Server cert for this VM.
Dave Howe

no. you keep the CA cert (which won't run out for a decade or so :D) and issue new server certs. In fact, you can use ONE CA to issue all the server certs on your network, that way you only need to import the CA into browsers and stuff once, instead of importing multiple CAs.

If I am right, i keep the same CA but create a new server cert.

when i export i should be exporting the server cert right.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dave Howe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question