Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Renew an internal certificate authority
« previous
next »
Print
Pages: [
1
]
Author
Topic: Renew an internal certificate authority (Read 3879 times)
Rajstopy
Newbie
Posts: 27
Karma: 1
Renew an internal certificate authority
«
on:
April 21, 2023, 12:54:12 pm »
Dear all,
Just a basic question there. I use OPNSense to manage all my internal SSL certificates. My internal certificate authority is going to expire in a couple of weeks and I'm just wondering whether it is possible to renew the existing CA. If a create a new one, I'll need to renew all my SSL certificates within my network.
I think I may avoid this by using the existing CA private key to sign the renewed CA, but I don't know how to do it on OPNSense.
Should I simply create a new CA on an external system, using the current private key for signature?
Cheers,
R.
Logged
meyergru
Hero Member
Posts: 1710
Karma: 167
IT Aficionado
Re: Renew an internal certificate authority
«
Reply #1 on:
April 21, 2023, 02:02:58 pm »
You can do that, but what do you gain? You have to import the new CA into whatever uses it anyway. That is the reason why CA certificates (other than the ones they issue) are usually long-lived.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Rajstopy
Newbie
Posts: 27
Karma: 1
Re: Renew an internal certificate authority
«
Reply #2 on:
April 21, 2023, 04:51:43 pm »
Just want to do that because I have much more servers than clients...
I did try what I suggested but seems not working... Clients are complaining not recognizing the server certificate, even if the CA was signed with the initial private key... I fear that I will have to renew all my stuff, just did it 2 weeks ago and did not noticed the CA expiration coming soon... My fault...
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: Renew an internal certificate authority
«
Reply #3 on:
April 21, 2023, 05:01:51 pm »
Sure. The signature contains the CA
certificate
. When that expires the signature is invalid. The key is necessary to perform the signature, but it's the certificate that is checked by clients connecting. They cannot check the key - it's private
That's why certificate lifetimes of 5 or 10 years for CA certs are common. I'd recommend doing so this time. For a private internal CA - 10 years, YOLO!
The modern browser limitation of 390-something days applies to the server certificates, only, not the CA.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Rajstopy
Newbie
Posts: 27
Karma: 1
Re: Renew an internal certificate authority
«
Reply #4 on:
April 21, 2023, 05:33:13 pm »
Ok, thanks for confirming that. I will renew all and take care next time :-)
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Renew an internal certificate authority