Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I modify a private key validity?

I'm a newbie in computer security and I have a basic question whose answer I've not been able to find out.

I have a private key whose validity period has expired. Using that key I'd previously generated a .csr and sent it to a CA and they'd given me a certificate that's still valid.

My question is, can I (using keytool or whatever...) modify the private key's expiration date in order to use it with my certificate (.cer). Could I regenerate a private key to be used with this certificate?

Thank you,

like image 460
user1031431 Avatar asked Jul 29 '14 20:07

user1031431


People also ask

Does the private key change when renewing a certificate?

When you renew a certificate using the same private key, you extend the life of the private key and all information in the expiring certificate is updated to reflect the renewal, including the key ring connection information.

Can private key be compromised?

A private key is compromised when an unauthorized person obtains the private key or determines what the private key is that is used to encrypt and decrypt secret information. The compromised key can be used to decrypt encrypted data without the knowledge of the sender of the data.


2 Answers

No.

The validity period is in the certificate, not the private key. Certificates cannot be modified, and the only entities that can generate valid certificates are the certificate authorities.

You will have to pay for a new certificate. Certificate expiration is a safety measure, but also a way to get recurring customers.

like image 184
ntoskrnl Avatar answered Oct 12 '22 22:10

ntoskrnl


keytool -genkeypair does more than generating a key pair: it generates a pair of public and private key, and wraps the public key into a self-signed X.509 certificate generated on the spot with the various options given (-dname, -validity, ...). It puts them together into the alias you choose (a private key entry will associate a private key and a certificate, or a certificate chain of length 1, to be precise).

Those options affect this self-signed X.509 certificate, not the key pair itself.

Normally, if you don't want to use a self-signed certificate, you produce a CSR based on this public key and the characteristics of this self-signed X.509 certificate (the structure of a CSR is in fact very similar to that of a self-signed certificate, but it doesn't have issuer or validity dates). That CSR is then used by your CA to issue an X.509 certificate (this time, signed by that CA).

You are meant to import it again into that alias, to be able to use the certificate with its private key. If your self-signed certificate (or an older certificate matching this private key) has expired, re-import the certificate that is still valid.

In fact, if there are intermediate certificates, you should not only import that certificate, but the certificate chain (see this question and this question).

If your .cer file is in DER format (binary) and not PEM format (base64-encoding of the DER format), you can convert it into PEM using openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.crt and use the result to build the chain and import it.

like image 24
Bruno Avatar answered Oct 13 '22 00:10

Bruno