I’m in the process of moving servers at the moment, and amongst the services I am moving is my authenticated, but public SMTP relay service. That service includes a basic web-based CA whose CA certificate is going to expire in July 2008. Apparently, it is possible to refresh CA certificates without having to distribute fresh certificates to all the clients. The magic steps, using openssl are:

First, generate a new CSR using the existing certificate and key as input:

openssl x509 -x509toreq -in cacert.crt \
  -signkey cakey.key -out renew.pem

Then sign it:

openssl x509 \
  -extfile openssl.cnf \
  -extensions v3_ca \
  -CA cacert.crt -CAkey cakey.key \
  -set_serial 0 -days 365 \
  -req -in renew.pem -out newcacert.pem

This information was quite hard to come by, so hereby put here so I can find it if I need it again.

Back to posts