Renew an internal certificate authority

[Rajstopy]

Dear all,

Just a basic question there. I use OPNSense to manage all my internal SSL certificates. My internal certificate authority is going to expire in a couple of weeks and I'm just wondering whether it is possible to renew the existing CA. If a create a new one, I'll need to renew all my SSL certificates within my network.

I think I may avoid this by using the existing CA private key to sign the renewed CA, but I don't know how to do it on OPNSense.

Should I simply create a new CA on an external system, using the current private key for signature?

Cheers,
R.

[meyergru]

You can do that, but what do you gain? You have to import the new CA into whatever uses it anyway. That is the reason why CA certificates (other than the ones they issue) are usually long-lived.

[Rajstopy]

Just want to do that because I have much more servers than clients...

I did try what I suggested but seems not working... Clients are complaining not recognizing the server certificate, even if the CA was signed with the initial private key... I fear that I will have to renew all my stuff, just did it 2 weeks ago and did not noticed the CA expiration coming soon... My fault...

[Patrick M. Hausen]

Sure. The signature contains the CA certificate. When that expires the signature is invalid. The key is necessary to perform the signature, but it's the certificate that is checked by clients connecting. They cannot check the key - it's private

That's why certificate lifetimes of 5 or 10 years for CA certs are common. I'd recommend doing so this time. For a private internal CA - 10 years, YOLO!

The modern browser limitation of 390-something days applies to the server certificates, only, not the CA.

[Rajstopy]

Ok, thanks for confirming that. I will renew all and take care next time :-)