Can I "resign" an existing CA cert without breaking anything?

....a bit naive I know, but I'd rather be safe than regret it a week later ;-)

We have an existing internal CA designed around a OpenSSL 0.9.5 signed CA
(obviously we're using a newer release of OpenSSL now - but the CA cert was
created under 0.9.5).

It's all working well - until now. We have found that we cannot sign certs
created by Cisco IOS - well it can - but then the Cisco refuses to use it.
Upon talking to Cisco, they say it's because our CA has a Serial number of
"0" - which is illegal(!?). They said this was a known bug in OpenSSL that
was fixed in a later release...

Anyway, if all that is true, I'd like to simply re-create the CA cert under
a newer OpenSSL release - using the existing private key and serial number 1
- which for some reason is actually available (the first signed cert starts
at 2 - don't know why!).

If I do that (i.e. "openssl req -key "existing.key" -x509 -new ..."), will
it break the existing infrastructure? I've gone as far as creating the new
CA public key/"root cert", and diff'ing it against the old signed cert just
shows different serial number, dates and some signature hexes look
different. I mean, the public key created from the private key looks
identical to the old public key, so existing (old) HTTPS web servers that
only accept connections from client certs signed by our (old) CA should
happily accept client certs signed by our (new) CA? What about CRL? We make
extensive use of CRL to ensure only valid certs are accepted, so I'm worried
about that breaking.

I pretty sure that is doable - I'm just worried there are know bugs/issues
around this that may sting me a week/month later...

Thanks!


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Can I "resign" an existing CA cert without breaking anything?

On Fri, Oct 10, 2003 at 10:53:09AM +1300, Jason Haar wrote:
> It's all working well - until now. We have found that we cannot sign certs
> created by Cisco IOS - well it can - but then the Cisco refuses to use it.
> Upon talking to Cisco, they say it's because our CA has a Serial number of
> "0" - which is illegal(!?). They said this was a known bug in OpenSSL that
> was fixed in a later release...
>
> Anyway, if all that is true, I'd like to simply re-create the CA cert under
> a newer OpenSSL release - using the existing private key and serial number 1
> - which for some reason is actually available (the first signed cert starts
> at 2 - don't know why!).
>

Some results. If I simply renew the certificate - so that the only thing
that's changed is the expire date - that new CA cert can be used seamlessly
with the existing infrastructure.

However, I didn't want that. I wanted to change the Serial number from '0'
to '1'. So I renewed it again but set the serial to '1', and it breaks
everything :-(

Does that sound correct? Even though the private and public key are the
same, changing the serial number "isn't allowed"?

Sounds like we either tear out our entire PKI infrastructure and start
again, or I have to bring up a RA... Well, that's a hard choice ;-/

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Can I "resign" an existing CA cert without breaking anything?

> Sounds like we either tear out our entire PKI infrastructure and start
> again, or I have to bring up a RA... Well, that's a hard choice ;-/

Just a thought: I think it should be possible for you to create a "second"
CA certificate with id 1, and sign it with your first CA, and generate
use that second CA to sign cisco's certs, in that way the chain is preserved
and everyone is happy. Then you can start moving away from the initial CA
at your pace.

Carlos

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org