Renew/extend CA created with ikectl

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Renew/extend CA created with ikectl

Kim Zeitler
Hello,

before I start getting creative with openssl(1) on my ikectl(8) created ca.

Yesterday my ca certificate expired and I need to renew it (without
loosing all the client certificates)

Is there a recommended way of renewing the ca.crt created using ikectl
ca create?
I didn't find anything in the man pages nor on the mailing list. Having
had a look at ikeca.c gave me some idea of how the file is created.

Also is there a way of having the ca cert valid for more than 365 days?

Cheers,
Kim



smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Renew/extend CA created with ikectl

Stuart Henderson
On 2018-12-07, Kim Zeitler <[hidden email]> wrote:

> This is a cryptographically signed message in MIME format.
>
> --------------ms050605050209090609050606
> Content-Type: text/plain; charset=utf-8; format=flowed
> Content-Language: en-GB
> Content-Transfer-Encoding: 7bit
>
> Hello,
>
> before I start getting creative with openssl(1) on my ikectl(8) created ca.
>
> Yesterday my ca certificate expired and I need to renew it (without
> loosing all the client certificates)
>
> Is there a recommended way of renewing the ca.crt created using ikectl
> ca create?

It's a bit awkward but can be done, you'll find some information at
https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

You'll need to get the new CA cert installed on clients anyway though
(and I don't suppose the client certs have much longer validity either?)
so doing the above might not save you much trouble ..

> I didn't find anything in the man pages nor on the mailing list. Having
> had a look at ikeca.c gave me some idea of how the file is created.
>
> Also is there a way of having the ca cert valid for more than 365 days?

Not without patching the command-line in ikectl code, or generating
the cert manually. It's not ideal..

I'd probably recommend using something else to manage your internal
CA (or just avoiding X509 if you don't actually need it...).