tags:

views:

146

answers:

2
Q: 

why validity extended ca does not contain private key information?

I have one self signed rootcacert.pem which is going to expire next month. Due to specific reason I have extended the validity of this rootcacert using the command :

openssl x509 -in rootcacert.pem -days 365 -out extendedrootcacert.pem - signkey rootcakey.pem -text

So I get the new root ca as extendedrootcacert.pem. Using new root ca, I am able to use user certificate signed by old root ca as well as newer user certificates signed by this new root ca. All functionality works fine without any problem.

But when I opened this extendedrootcacert.pem & original rootcacert.pem file using notepad, I found that there is a difference between the contents.

The rootcacert.pem has private key and other information(Private- Key,publicExponent,privateExponent,prime1,prime2,exponent1,exponent2,coefficient), which looks like :

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-key-components.htm

But the new extendedrootcacert.pem does not have this information in it. All other field are same in both the certificate.

I dont know how the original rootcacert.pem was generated.

Will there be any adversed impact on my application's functionality. Is there any way to include this information in the new extended root ca. Is it absolutely necessary to have this information in new extended root ca.?

Appreciate any input.

A: 

Your link is erronous.

The important part for the certificate is between the lines:

-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

All human comprehensible outside are only for human consumption.

You can do a fresh dump of both informations with:

openssl x509 -in rootca.pem -noout -text
openssl x509 -in extendedrootca.pem -noout -text

and compare them.

It is also probable that your rootca.pem combine both the key and the certificate in one single file. In this case you will find lines like:

-----BEGIN RSA PRIVATE KEY-----
…
-----END RSA PRIVATE KEY-----

You should then add that to your extendedrootca.pem.

kmkaplan  2009-02-26 13:15:36
A: 

Sorry the link is broken. The correct link is

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-key-components.htm

anil  2009-02-26 13:21:24

related questions

OpenSSL and generating CSRs at client side
Encrypting data in Cocoa, decoding in PHP (and vice versa)
SSCrypto/OpenSSL to C# Crypto
How do you test a public/private keypair?
Python memory debugging with GDB
Programmatically Create X509 Certificate using OpenSSL
Understanding engine initialization in OpenSSL
Net::SSLeay post_https compilation error: Too many arguments
Opening an RSA private key from Ruby
How can I parse a Certificate Signing Request with Perl?
How to deploying a self signed SSL certificate to multiple servers
Building libcurl with SSL support on Windows
Self Signed Certificate in Windows without makecert?
"CURLE_OUT_OF_MEMORY" error when posting via https
How would you test an SSL connection?
Crypto/x509 certificate parsing libraries for Python (pyOpenSSL vs Python OpenSSL Wrappers vs...)
Strange call stack, could it be problem in asio's usage of openssl?
Is it a problem if multiple different accepting sockets use the same OpenSSL context?
Ruby on Rails: no such file to load -- openssl on RedHat Linux Enterprise
Using openssl what does "unable to write 'random state'" mean?
Using openssl encryption with Java
C# utility to create a CA
Easy expanation of setting up Openssl on Windows.
Getting ASN.1 Issuer strings from PEM files?
What Certificate Authority Software is Available?