Renew CA



  • Sorry in advance for my lack of knowledge on PKI and how CA certs are supposed to be renewed…..

    How do you renew a not-yet-expired CA in the GUI of pfSense 2.x?  Do you just issue a new certificate with the same DN attributes, then "edit" the existing CA with the exports from the new certificate?


  • Rebel Alliance Global Moderator

    I believe the default for creation of a CA is 10 years (3650 days), did you edit to something very short?  I would believe normal way to do it would be to bring your new CA online before old expires and change over to the new CA.

    But if need be you can create a new CA with the old private key and keys signed with the old CA would be good since same private key.



  • It's an import from a previous easy-rsa installation.  Of the two things you presented, the 2nd sounds more like what I'm looking for – I don't want a new CA, I want to renew the existing CA.

    Which is to say -- how do you "create a new CA with the old private key" but with new dates?


  • Rebel Alliance Global Moderator

    I would prob do with openssl, and then just import into pfsense.

    So created a test CA with expire in 1 year

    emailAddress=test@test.test, ST=test, O=test, L=test, CN=test-ca, C=US
      Valid From: Mon, 05 May 2014 13:18:26 -0500
      Valid Until: Tue, 05 May 2015 13:18:26 -0500

    Then exported crt and key, and used openssl

    [2.1.3-RELEASE][root@pfsense.local.lan]/tmp(6): openssl x509 -x509toreq -in testdate.crt -signkey testdate.key -out newdate.csr
    Getting request Private Key
    Generating certificate request

    I then signed it with samekey but put a 10 years on it.

    [2.1.3-RELEASE][root@pfsense.local.lan]/tmp(7): openssl x509 -in newdate.csr -out newdate.crt -signkey testdate.key -req -days 3650
    Signature ok
    subject=/C=US/ST=test/L=test/O=test/emailAddress=test@test.test/CN=test-ca
    Getting Private key

    Then I just imported the newdate.crt and the testdate.key into a new CA.  As you can see it shows good for 10 years now

    emailAddress=test@test.test, ST=test, O=test, L=test, CN=test-ca, C=US
      Valid From: Mon, 05 May 2014 13:24:06 -0500
      Valid Until: Thu, 02 May 2024 13:24:06 -0500

    This should still validate your old certs because same key, etc.  I would test for sure, etc.  This is just off the top of my head of how you could do it, I wouldn't prob do this.. I would just create a new CA and issue new certs, etc.  But this should work I do believe - again TEST it before you do a mass issue of certs from this CA, etc.






  • Awesome!  Thanks for the information!  It's exactly what I was looking for (and confirmation that it wouldn't be do-able in the GUI).