Tags

, , ,

This is an how-to article on renewal of self-signed CA Certs using Certutil Commands. To create self signed Certificate authorities and other certificates , Refer the Mozilla Documentation.

As normal User or Server Certificates Expire, the CA certs also do expire after certain period. But one needs to know how to renew.

Since this How-to is based on mozilla NSS. I will explain with an example NSS database where a CA and user certs are created using certutil Commands.

$certutil -L -d /etc/pki/testca

Certificate Nickname          Trust Attributes
                          SSL,S/MIME,JAR/XPI
testca                   CTu,u,u
www                     u,u,u

testca is the CA certificate and www is a user cert

$certutil -L -d /etc/pki/testca -n testca | head -n 15
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=rootca0,O=Example.com,C=US"
        Validity:
            Not Before: Tue Nov 01 02:29:56 2011
            Not After : Thu Dec 01 02:29:56 2011
        Subject: "CN=rootca0,O=Example.com,C=US" 

To view the private key, issue the below command :

 $ certutil -K -d /etc/pki/testca
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
 Enter Password or Pin for "NSS Certificate DB":
 < 0> rsa 2caa8cf41a5fc803902034710f59c296326cdcc8 NSS Certificate DB:testca
  < 1> rsa      99059e9f59b710edcee11d4bd32fd97977bc121e   NSS Certificate DB:www

From the above output you could see the Nick of the private key used by testca

The procedure to renew the testca Certificate is:

1. Create a certificate request using the same Private key

2. Get it signed by the Old CA

3. Add the newly signed certificate CA to NSS database

Creating a Certificate request using the same Private key:

$certutil -d . -R -k "NSS Certificate DB:testca" -s "CN=rootca0,o=Example.com,c=US" -a -o rootca.req
Brief Explanation of the command options:

-R:  Create a certificate-request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use 
-o output-file argument.
-s: subject of the Certificate ( Use the same Subject of earlier CA)
-m: serial Number
-v: Period in Months till which Certificate will be valid

Sign the Certificate Request

$certutil -C -d . -c "testca" -a -i rootca.req -t "CT,," -o cacert.crt  -m 0 -v 12

Add the Certificate to NSS database:

 $certutil -A -d . -n "testca" -a -i cacert.crt -t "CT,,"

List the CA cert to check the validity period

$certutil -L -d . -n testca
-----BEGIN CERTIFICATE-----
 MIIB4jCCAUugAwIBAgIFAJYUeXowDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMC
 VVMxFDASBgNVBAoTC0V4YW1wbGUuY29tMRAwDgYDVQQDEwdyb290Y2EwMB4XDTEx
 MTEwMTAzMTczMloXDTEyMTEwMTAzMTczMlowNTELMAkGA1UEBhMCVVMxFDASBgNV
 BAoTC0V4YW1wbGUuY29tMRAwDgYDVQQDEwdyb290Y2EwMIGfMA0GCSqGSIb3DQEB
 AQUAA4GNADCBiQKBgQDHiALVOGuCo2c0xjIXqL5Q6RBSUva/b+NivWk9knSpe998
 yFQ7mzbi8g4EzlOt896iVLkjiekSbtffxx6ye5ruGfwddpo6AnpXMhZvG7DKrWpZ
 4CD1EPpW++DszuKBoZE50rcdHZC2o6iMAm2POXWCaHIapPfXbdahuyQQtgC+RQID
 AQABMA0GCSqGSIb3DQEBBQUAA4GBALVoqevbP7haPKPyZwgD4kB4OofOc8z22KZh
 +/KTai5RgnXbiGRK0hpV/imHC6j2KrPb3awmUTMXzWjQ9Pj4f4nuKFmM2QY8Vspb
 PziB7IPlxKh1m30QZzVJHlTL7uMMFud5CJVSb1iB4J6BackhN+5MTGZRytXfN9A2
 pHPzcjQM
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB8DCCAVmgAwIBAgIBADANBgkqhkiG9w0BAQUFADA1MQswCQYDVQQGEwJVUzEU
 MBIGA1UEChMLRXhhbXBsZS5jb20xEDAOBgNVBAMTB3Jvb3RjYTAwHhcNMTExMTAx
 MDIyOTU2WhcNMTExMjAxMDIyOTU2WjA1MQswCQYDVQQGEwJVUzEUMBIGA1UEChML
 RXhhbXBsZS5jb20xEDAOBgNVBAMTB3Jvb3RjYTAwgZ8wDQYJKoZIhvcNAQEBBQAD
 gY0AMIGJAoGBAMeIAtU4a4KjZzTGMheovlDpEFJS9r9v42K9aT2SdKl733zIVDub
 NuLyDgTOU63z3qJUuSOJ6RJu19/HHrJ7mu4Z/B12mjoCelcyFm8bsMqtalngIPUQ
 +lb74OzO4oGhkTnStx0dkLajqIwCbY85dYJochqk99dt1qG7JBC2AL5FAgMBAAGj
 EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAP6F9K/y+WcL4tLij
 5vmxdDK+iV/jRktQc0/QugpUUcoWT7pRVsGfsYhAUYMhlZmnxHuQeLp13xPn1FcY
 DaojOPoQCifadC0OvlOivTnxQNU1nOLvWuYTfVoQq79Ji5fZVywQ5T41irV5uvGb
 hU00Ebw6/UtJOA4TwaIgXDSs45g=
 -----END CERTIFICATE-----

As you can see above , it lists both the certificates (old and new), Remove -a option in the above command to see in pretty print output

Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 00:96:14:79:7a
 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
 Issuer: "CN=rootca0,O=Example.com,C=US"
 Validity:
 Not Before: Tue Nov 01 03:17:32 2011
 Not After : Thu Nov 01 03:17:32 2012
 Subject: "CN=rootca0,O=Example.com,C=US"
 Subject Public Key Info:
 Public Key Algorithm: PKCS #1 RSA Encryption
 RSA Public Key:
 Modulus:
 c7:88:02:d5:38:6b:82:a3:67:34:c6:32:17:a8:be:50:
 e9:10:52:52:f6:bf:6f:e3:62:bd:69:3d:92:74:a9:7b:
 df:7c:c8:54:3b:9b:36:e2:f2:0e:04:ce:53:ad:f3:de:
 a2:54:b9:23:89:e9:12:6e:d7:df:c7:1e:b2:7b:9a:ee:
 19:fc:1d:76:9a:3a:02:7a:57:32:16:6f:1b:b0:ca:ad:
 6a:59:e0:20:f5:10:fa:56:fb:e0:ec:ce:e2:81:a1:91:
 39:d2:b7:1d:1d:90:b6:a3:a8:8c:02:6d:8f:39:75:82:
 68:72:1a:a4:f7:d7:6d:d6:a1:bb:24:10:b6:00:be:45
 Exponent: 65537 (0x10001)
 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
 Signature:
 b5:68:a9:eb:db:3f:b8:5a:3c:a3:f2:67:08:03:e2:40:
 78:3a:87:ce:73:cc:f6:d8:a6:61:fb:f2:93:6a:2e:51:
 82:75:db:88:64:4a:d2:1a:55:fe:29:87:0b:a8:f6:2a:
 b3:db:dd:ac:26:51:33:17:cd:68:d0:f4:f8:f8:7f:89:
 ee:28:59:8c:d9:06:3c:56:ca:5b:3f:38:81:ec:83:e5:
 c4:a8:75:9b:7d:10:67:35:49:1e:54:cb:ee:e3:0c:16:
 e7:79:08:95:52:6f:58:81:e0:9e:81:69:c9:21:37:ee:
 4c:4c:66:51:ca:d5:df:37:d0:36:a4:73:f3:72:34:0c
 Fingerprint (MD5):
 2B:90:4E:AE:E5:91:37:20:AD:41:A2:B1:4A:CC:16:A5
 Fingerprint (SHA1):
 DA:6C:F5:A1:A1:03:9B:6E:11:2C:BF:FA:DA:43:5C:D1:52:0B:B5:1B
 Certificate Trust Flags:
 SSL Flags:
 Valid CA
 Trusted CA
 User
 Trusted Client CA
 Email Flags:
 User
 Object Signing Flags:
 User
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 0 (0x0)
 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
 Issuer: "CN=rootca0,O=Example.com,C=US"
 Validity:
 Not Before: Tue Nov 01 02:29:56 2011
 Not After : Thu Dec 01 02:29:56 2011
 Subject: "CN=rootca0,O=Example.com,C=US"
 Subject Public Key Info:
 Public Key Algorithm: PKCS #1 RSA Encryption
 RSA Public Key:
 Modulus:
 c7:88:02:d5:38:6b:82:a3:67:34:c6:32:17:a8:be:50:
 e9:10:52:52:f6:bf:6f:e3:62:bd:69:3d:92:74:a9:7b:
 df:7c:c8:54:3b:9b:36:e2:f2:0e:04:ce:53:ad:f3:de:
 a2:54:b9:23:89:e9:12:6e:d7:df:c7:1e:b2:7b:9a:ee:
 19:fc:1d:76:9a:3a:02:7a:57:32:16:6f:1b:b0:ca:ad:
 6a:59:e0:20:f5:10:fa:56:fb:e0:ec:ce:e2:81:a1:91:
 39:d2:b7:1d:1d:90:b6:a3:a8:8c:02:6d:8f:39:75:82:
 68:72:1a:a4:f7:d7:6d:d6:a1:bb:24:10:b6:00:be:45
 Exponent: 65537 (0x10001)
 Signed Extensions:
 Name: Certificate Basic Constraints
 Data: Is a CA with no maximum path length.
 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
 Signature:
 3f:a1:7d:2b:fc:be:59:c2:f8:b4:b8:a3:e6:f9:b1:74:
 32:be:89:5f:e3:46:4b:50:73:4f:d0:ba:0a:54:51:ca:
 16:4f:ba:51:56:c1:9f:b1:88:40:51:83:21:95:99:a7:
 c4:7b:90:78:ba:75:df:13:e7:d4:57:18:0d:aa:23:38:
 fa:10:0a:27:da:74:2d:0e:be:53:a2:bd:39:f1:40:d5:
 35:9c:e2:ef:5a:e6:13:7d:5a:10:ab:bf:49:8b:97:d9:
 57:2c:10:e5:3e:35:8a:b5:79:ba:f1:9b:85:4d:34:11:
 bc:3a:fd:4b:49:38:0e:13:c1:a2:20:5c:34:ac:e3:98
 Fingerprint (MD5):
 58:C8:D8:75:3A:81:90:94:C9:06:04:51:52:8E:E7:4B
 Fingerprint (SHA1):
 07:D2:80:8F:05:74:C1:86:43:1F:96:52:1F:A7:B4:4E:BF:61:7F:70
 Certificate Trust Flags:
 SSL Flags:
 Valid CA
 Trusted CA
 User
 Trusted Client CA
 Email Flags:
 User
 Object Signing Flags:
 User

Validate the user Certificates

$ certutil -V -d . -u C -n www
certutil: certificate is valid
$ certutil -V -d . -u C -n testca
certutil: certificate is valid
Advertisements