This is an how-to article on renewal of self-signed CA Certs using Certutil Commands. To create self signed Certificate authorities and other certificates , Refer the Mozilla Documentation.
As normal User or Server Certificates Expire, the CA certs also do expire after certain period. But one needs to know how to renew.
Since this How-to is based on mozilla NSS. I will explain with an example NSS database where a CA and user certs are created using certutil Commands.
$certutil -L -d /etc/pki/testca Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI testca CTu,u,u www u,u,u
testca is the CA certificate and www is a user cert
$certutil -L -d /etc/pki/testca -n testca | head -n 15 Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=rootca0,O=Example.com,C=US" Validity: Not Before: Tue Nov 01 02:29:56 2011 Not After : Thu Dec 01 02:29:56 2011 Subject: "CN=rootca0,O=Example.com,C=US"
To view the private key, issue the below command :
$ certutil -K -d /etc/pki/testca certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 2caa8cf41a5fc803902034710f59c296326cdcc8 NSS Certificate DB:testca < 1> rsa 99059e9f59b710edcee11d4bd32fd97977bc121e NSS Certificate DB:www
From the above output you could see the Nick of the private key used by testca
The procedure to renew the testca Certificate is:
1. Create a certificate request using the same Private key
2. Get it signed by the Old CA
3. Add the newly signed certificate CA to NSS database
Creating a Certificate request using the same Private key:
$certutil -d . -R -k "NSS Certificate DB:testca" -s "CN=rootca0,o=Example.com,c=US" -a -o rootca.req Brief Explanation of the command options: -R: Create a certificate-request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use-ooutput-file argument. -s: subject of the Certificate ( Use the same Subject of earlier CA) -m: serial Number -v: Period in Months till which Certificate will be valid
Sign the Certificate Request
$certutil -C -d . -c "testca" -a -i rootca.req -t "CT,," -o cacert.crt -m 0 -v 12
Add the Certificate to NSS database:
$certutil -A -d . -n "testca" -a -i cacert.crt -t "CT,,"
List the CA cert to check the validity period
$certutil -L -d . -n testca -----BEGIN CERTIFICATE----- MIIB4jCCAUugAwIBAgIFAJYUeXowDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMC VVMxFDASBgNVBAoTC0V4YW1wbGUuY29tMRAwDgYDVQQDEwdyb290Y2EwMB4XDTEx MTEwMTAzMTczMloXDTEyMTEwMTAzMTczMlowNTELMAkGA1UEBhMCVVMxFDASBgNV BAoTC0V4YW1wbGUuY29tMRAwDgYDVQQDEwdyb290Y2EwMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDHiALVOGuCo2c0xjIXqL5Q6RBSUva/b+NivWk9knSpe998 yFQ7mzbi8g4EzlOt896iVLkjiekSbtffxx6ye5ruGfwddpo6AnpXMhZvG7DKrWpZ 4CD1EPpW++DszuKBoZE50rcdHZC2o6iMAm2POXWCaHIapPfXbdahuyQQtgC+RQID AQABMA0GCSqGSIb3DQEBBQUAA4GBALVoqevbP7haPKPyZwgD4kB4OofOc8z22KZh +/KTai5RgnXbiGRK0hpV/imHC6j2KrPb3awmUTMXzWjQ9Pj4f4nuKFmM2QY8Vspb PziB7IPlxKh1m30QZzVJHlTL7uMMFud5CJVSb1iB4J6BackhN+5MTGZRytXfN9A2 pHPzcjQM -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8DCCAVmgAwIBAgIBADANBgkqhkiG9w0BAQUFADA1MQswCQYDVQQGEwJVUzEU MBIGA1UEChMLRXhhbXBsZS5jb20xEDAOBgNVBAMTB3Jvb3RjYTAwHhcNMTExMTAx MDIyOTU2WhcNMTExMjAxMDIyOTU2WjA1MQswCQYDVQQGEwJVUzEUMBIGA1UEChML RXhhbXBsZS5jb20xEDAOBgNVBAMTB3Jvb3RjYTAwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMeIAtU4a4KjZzTGMheovlDpEFJS9r9v42K9aT2SdKl733zIVDub NuLyDgTOU63z3qJUuSOJ6RJu19/HHrJ7mu4Z/B12mjoCelcyFm8bsMqtalngIPUQ +lb74OzO4oGhkTnStx0dkLajqIwCbY85dYJochqk99dt1qG7JBC2AL5FAgMBAAGj EDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAP6F9K/y+WcL4tLij 5vmxdDK+iV/jRktQc0/QugpUUcoWT7pRVsGfsYhAUYMhlZmnxHuQeLp13xPn1FcY DaojOPoQCifadC0OvlOivTnxQNU1nOLvWuYTfVoQq79Ji5fZVywQ5T41irV5uvGb hU00Ebw6/UtJOA4TwaIgXDSs45g= -----END CERTIFICATE----- As you can see above , it lists both the certificates (old and new), Remove -a option in the above command to see in pretty print output Certificate: Data: Version: 3 (0x2) Serial Number: 00:96:14:79:7a Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=rootca0,O=Example.com,C=US" Validity: Not Before: Tue Nov 01 03:17:32 2011 Not After : Thu Nov 01 03:17:32 2012 Subject: "CN=rootca0,O=Example.com,C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c7:88:02:d5:38:6b:82:a3:67:34:c6:32:17:a8:be:50: e9:10:52:52:f6:bf:6f:e3:62:bd:69:3d:92:74:a9:7b: df:7c:c8:54:3b:9b:36:e2:f2:0e:04:ce:53:ad:f3:de: a2:54:b9:23:89:e9:12:6e:d7:df:c7:1e:b2:7b:9a:ee: 19:fc:1d:76:9a:3a:02:7a:57:32:16:6f:1b:b0:ca:ad: 6a:59:e0:20:f5:10:fa:56:fb:e0:ec:ce:e2:81:a1:91: 39:d2:b7:1d:1d:90:b6:a3:a8:8c:02:6d:8f:39:75:82: 68:72:1a:a4:f7:d7:6d:d6:a1:bb:24:10:b6:00:be:45 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: b5:68:a9:eb:db:3f:b8:5a:3c:a3:f2:67:08:03:e2:40: 78:3a:87:ce:73:cc:f6:d8:a6:61:fb:f2:93:6a:2e:51: 82:75:db:88:64:4a:d2:1a:55:fe:29:87:0b:a8:f6:2a: b3:db:dd:ac:26:51:33:17:cd:68:d0:f4:f8:f8:7f:89: ee:28:59:8c:d9:06:3c:56:ca:5b:3f:38:81:ec:83:e5: c4:a8:75:9b:7d:10:67:35:49:1e:54:cb:ee:e3:0c:16: e7:79:08:95:52:6f:58:81:e0:9e:81:69:c9:21:37:ee: 4c:4c:66:51:ca:d5:df:37:d0:36:a4:73:f3:72:34:0c Fingerprint (MD5): 2B:90:4E:AE:E5:91:37:20:AD:41:A2:B1:4A:CC:16:A5 Fingerprint (SHA1): DA:6C:F5:A1:A1:03:9B:6E:11:2C:BF:FA:DA:43:5C:D1:52:0B:B5:1B Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=rootca0,O=Example.com,C=US" Validity: Not Before: Tue Nov 01 02:29:56 2011 Not After : Thu Dec 01 02:29:56 2011 Subject: "CN=rootca0,O=Example.com,C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c7:88:02:d5:38:6b:82:a3:67:34:c6:32:17:a8:be:50: e9:10:52:52:f6:bf:6f:e3:62:bd:69:3d:92:74:a9:7b: df:7c:c8:54:3b:9b:36:e2:f2:0e:04:ce:53:ad:f3:de: a2:54:b9:23:89:e9:12:6e:d7:df:c7:1e:b2:7b:9a:ee: 19:fc:1d:76:9a:3a:02:7a:57:32:16:6f:1b:b0:ca:ad: 6a:59:e0:20:f5:10:fa:56:fb:e0:ec:ce:e2:81:a1:91: 39:d2:b7:1d:1d:90:b6:a3:a8:8c:02:6d:8f:39:75:82: 68:72:1a:a4:f7:d7:6d:d6:a1:bb:24:10:b6:00:be:45 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Data: Is a CA with no maximum path length. Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 3f:a1:7d:2b:fc:be:59:c2:f8:b4:b8:a3:e6:f9:b1:74: 32:be:89:5f:e3:46:4b:50:73:4f:d0:ba:0a:54:51:ca: 16:4f:ba:51:56:c1:9f:b1:88:40:51:83:21:95:99:a7: c4:7b:90:78:ba:75:df:13:e7:d4:57:18:0d:aa:23:38: fa:10:0a:27:da:74:2d:0e:be:53:a2:bd:39:f1:40:d5: 35:9c:e2:ef:5a:e6:13:7d:5a:10:ab:bf:49:8b:97:d9: 57:2c:10:e5:3e:35:8a:b5:79:ba:f1:9b:85:4d:34:11: bc:3a:fd:4b:49:38:0e:13:c1:a2:20:5c:34:ac:e3:98 Fingerprint (MD5): 58:C8:D8:75:3A:81:90:94:C9:06:04:51:52:8E:E7:4B Fingerprint (SHA1): 07:D2:80:8F:05:74:C1:86:43:1F:96:52:1F:A7:B4:4E:BF:61:7F:70 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User
Validate the user Certificates
$ certutil -V -d . -u C -n www certutil: certificate is valid $ certutil -V -d . -u C -n testca certutil: certificate is valid
niranjanmr 