Suppose your certificate private key (original request) is in file my-key.pem and signed certificate in my-cert.pem.
Validate CertificateValidate certificate by issuing the following command:
openssl verify my-cert.pemHere is a sample output of checking valid cerificate:
my-cert.pem: ... error 10 at 0 depth lookup:certificate has expired OKIf verification of certificate shows it expired, you need renew it.
Renew CertificateRenewal of expired certificate consists of two steps: revoke old one, sign certificate request.
- Revoke expired certificate (you will be asked for Certificate Authority password):
ca1:~/ca# openssl ca -revoke my-cert.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate EFDAF4493BC3D5BB. Data Base Updated
- Rename you certificate key (request) file to newreq.pem.
ca1:~/ca# mv my-key.pem newreq.pem ca1:~/ca# /usr/lib/ssl/misc/CA.sh -sign ... Signed certificate is in newcert.pem
TroubleshootingIf you get error like this one below:
failed to update database TXT_DB error number 2You must revoke previous certificate from CA database.