On Wed, Nov 2, 2011 at 7:53 AM, Nelson B <nel...@bolyard.me> wrote: > On 2011/10/30 23:26 PDT, mallapadi niranjan wrote: > > Hi all > > > > I would like to know how to renew a self singed CA (RootCA) certificate > > through certutil. > > [snip] > > In the case of SubCA's it seems to be fairly easy to renew the > Certificates > > by using the same Private key in the nss database by specifying the > > following option > > > > $certutil -d . -R -k "NSS Certificate DB:subCA" -s "cn=SubCA > > Authority,o=Example.COM" -a -o example.req2.txt > > Does that not also work for your root CA? It should. > > > But not sure how to proceed with RootCA getting expired. > > What's unclear? > > Use the -R option as you've described above to make a new request for the > root certificate. Then use -C to issue the new certificate from that > request, using the old root as the issuer. Since the old root and new > have the same public key, the new cert will be self-signed. >
Thanks Nelson, I tried that earlier but somehow it failed , but i could do that using the below procedure: Create a self signed root CA: $certutil -S -d . -n "testca" -s "CN=rootca0,o=Example.com,c=US" -t "CT,," -x -2 -m 0000 -v 1 Create a server certificate $certutil -R -d . -s "CN=www.example.com,o=Example.com,C=US" -a -o example.req -v 12 Sign the Cert $certutil -C -d . -c "testca" -a -i example.req -o server.pem -2 -6 Create a new rootCA using same private key $certutil -d . -R -k "NSS Certificate DB:testca" -s "CN=rootca0,o=Example.com,c=US" -a -o rootca.req -m 0 -v 12 sign it with the old cert $certutil -C -d . -c "testca" -a -i rootca.req -t "CT,," -v 12 -o cacert.crt $certutil -L -d . -n testca The above command shows the old certificate and also the new certificate. Thanks Niranjan -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
