Linux – Renew SSL client certificates

linuxopensslssl-certificatex509

For a internally used webbased software, which must be available from everywhere, I have created client certificates which are installed in the browsers of authorized consumers.

Now, with 2012 being over, all of them are expired and need a renewal.
I've given out PKCS #12 certificates (.p12)

Here my questions

  • Is it possible to extend the client certificate lifetime?

  • Do I have to reinstall the certificate on all clients or is there another way (e.g. centrally from the server, some kind of update mechanism maybe)?

  • How do I renew / regenerate client certificates using openssl on linux?

Because this might be of interest, here is how I created the browser certificates

# client private key
openssl genrsa -des3 -out client.key 1024

# generate certificate signing request
openssl req -new -key client.key -out client.csr

# create certificate, sign with server key
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

# export into pkcs12
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Best Answer

Is it possible to extend the client certificate lifetime?

No this is not possible.
The client certificate has a certain validity date which can not be changed. The only possibility is to create a new certificate with a new validity date.

Do I have to reinstall the certificate on all clients or is there another way

You have no access to the certificates in the browser of your client from your server. What you can do is develop a webpage (authenticated with client certificates) that allows users to create a new certificate and import that into their browser.
On the Server side of this webpage, you can create a new certificate either with the same certificate request you used last year (a bit less secure) or create a new certificate request with the information you have about the user in your db. You can do this with openssl the same way you described in your post.

How do I renew / regenerate client certificates using openssl on linux

As I wrote in the previous question, you need to create a new certificate. You can do this using the certificate request you used last year or you create a new one (more secure but also more complex). Then you need to sign that request with the server key and export it into pkcs12.

I would stick with your current validy time (1 year), even if it is some trouble to renew the certificates. Because the longer the certificates are valid the bigger the change is, that some authorised user becomes unauthorised but still has a valid certificate.

Related Topic