Certificate renewal

Started by XeroX, September 25, 2021, 03:24:50 PM

Previous topic - Next topic
September 25, 2021, 03:24:50 PM Last Edit: September 25, 2021, 03:27:33 PM by XeroX
Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

You can create a certificate signing request from an existing certificate:

openssl x509 -x509toreq -in old.crt -signkey private.key -out new.csr

Then sign this with System, Trust, Certificates, click + and select 'Sign a Certificate Signing Request'

Bart...

I've to dig this up again. This feels unconfortable when the private key was generated by opnsense and I don't know where the certificates are on the FS.

Thanks for the tipp bartjsmit, but this doesn't work with a SubCA.


Is there a way to renew a certificate previously signed within OPNSense via CLI?

hi
Could you describe in more detail the initial data and the final goal?

I do have the following certificates issued by OPNSense.

CA
|_ Inspection CA -> SSL Inspection Web Proxy
|_ Signing CA
   |_ Several Certificates for Web Servers

Now some certificates for webservers are expired and the inspection CA is expired. How to get these resigned with the same private key or if only possible to resign without private key?

I thought there is a better way than deleting and issue again.


ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Quote from: Fright on October 09, 2021, 12:33:36 PM
ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Thank you. No everything works with the CA, however I thought a simple renew button would have been nice as long as the private keys are managed by OPNSense.


sorry, didn't guess that this is a hint of adding a new feature  :D

Quote from: Fright on October 09, 2021, 04:01:20 PM
sorry, didn't guess that this is a hint of adding a new feature  :D

Kind of. Actually the question was more like "am I blind", "is there an easy way" or "can I achieve this via cmdline" to renew certificates.

However thanks for help!