Menu
I'm a newbie in computer security and I have a basic question whose answer I've not been able to find out.
I have a private key whose validity period has expired. Using that key I'd previously generated a .csr and sent it to a CA and they'd given me a certificate that's still valid.
My question is, can I (using keytool or whatever...) modify the private key's expiration date in order to use it with my certificate (.cer). Could I regenerate a private key to be used with this certificate?
Thank you,
460
When you renew a certificate using the same private key, you extend the life of the private key and all information in the expiring certificate is updated to reflect the renewal, including the key ring connection information.
A private key is compromised when an unauthorized person obtains the private key or determines what the private key is that is used to encrypt and decrypt secret information. The compromised key can be used to decrypt encrypted data without the knowledge of the sender of the data.
No.
The validity period is in the certificate, not the private key. Certificates cannot be modified, and the only entities that can generate valid certificates are the certificate authorities.
You will have to pay for a new certificate. Certificate expiration is a safety measure, but also a way to get recurring customers.
184
keytool -genkeypair does more than generating a key pair: it generates a pair of public and private key, and wraps the public key into a self-signed X.509 certificate generated on the spot with the various options given (-dname, -validity, ...). It puts them together into the alias you choose (a private key entry will associate a private key and a certificate, or a certificate chain of length 1, to be precise).
Those options affect this self-signed X.509 certificate, not the key pair itself.
Normally, if you don't want to use a self-signed certificate, you produce a CSR based on this public key and the characteristics of this self-signed X.509 certificate (the structure of a CSR is in fact very similar to that of a self-signed certificate, but it doesn't have issuer or validity dates). That CSR is then used by your CA to issue an X.509 certificate (this time, signed by that CA).
You are meant to import it again into that alias, to be able to use the certificate with its private key. If your self-signed certificate (or an older certificate matching this private key) has expired, re-import the certificate that is still valid.
In fact, if there are intermediate certificates, you should not only import that certificate, but the certificate chain (see this question and this question).
If your .cer file is in DER format (binary) and not PEM format (base64-encoding of the DER format), you can convert it into PEM using openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.crt and use the result to build the chain and import it.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
