Generate new CSR by referring existing details from current certificate including private key

From Notes_Wiki

Home > Security tips > Generate new CSR by referring existing details from current certificate including private key

This internally refers Openssl. This is not fully tested.

To generate a new CSR from existing certificate and key, then sign it and then import it use:

  1. On existing server with certificate and key, open mmc -> Certificate
  2. Export existing certificate with key in pfx format.
    Need to give a password while exporting with key.
  3. Copy this to a Linux machine with openssl
  4. Convert pfx to PEM using 
    openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
    We need to give password that we gave while exporting key in above steps
  5. Then use OpenSSL to get CSR with exact same details using below command with "- days 3650" additional option to get 10 years validity: 
    openssl x509 -x509toreq -days 3650 -in certificate.pem -signkey certificate.pem -out request-new.csr
    Refer: https://security.stackexchange.com/questions/104139/generate-csr-from-existing-certificate
  6. Validate the output of CSR using: 
    openssl req -noout -text -in <csr-file-name>
    to ensure it has: 
          ...
      Subject: ST=Telangana, OU=IT, O=Rekall, L=Hyderabad, C=IN, CN=server1.example.com	
      ...
       Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:server1.example.com
            X509v3 Key Usage: critical
                Key Encipherment
    without this we get error of not having DNS SAN or something similar.
    TODO Fix above steps till the csr text output contains proper subject, SAN and key usage
  7. On Active Directory with Certificate Authority to be used for signing the Request, go to regedit to change default issuing validity from 1 year to 10 years
    1. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>
    2. Ensure ValidityPeriod is "Years" (Default)
    3. Set ValidityPeriodUnits to 10 in Decimal (Default is 1)
    4. Close regedit
    5. Open "Administrative Command Prompt" and run 
      net stop certsvc
      

      net start certsvc
      Refer: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/change-certificates-expiration-date
  8. Then on AD server open Start Menu -> "Windows Administrative Tools" -> "Certificate Authority" in AD server
  9. Right click on CA -> All Tasks -> Submit new request and use the above request
  10. Go to Pending Requests -> All Tasks -> Issue
  11. Go to Issued Certificates -> Open certificate -> Go to Details
    1. Ensure that certificate is valid for another 10 years
    2. click on 'Copy to file' button to export this certificate to import in original server
      Refer: https://www.ibm.com/docs/en/rds/5.2.1?topic=security-exporting-certificate-from-active-directory-server
  12. Copy the exported signed certificate from issuer to Linux machine
  13. On Linux machine convert from der to pem format using: 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  14. Then copy old expiring certificate with key pem format file to a new temporary file (Eg certificate-10-year-with-key.pem)
  15. In this new temporary file remove old server certificate and copy 10 year validity pem certificate in its place (Replace --BEGIN CERTIFICATE-- till --END CERTIFICATE-- only for server. Dont replace private key or CA certificate
  16. In the PEM file we should have before --BEGIN PRIVATE KEY--: 
    Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: ...
    friendlyName: ...
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 10
  17. In the PEM file before Server certificate we should have values similar to: 
    subject=/C=IN/ST=Telangana/L=Hyderabad/O=Rekall/OU=IT/CN=server1.example.com
  18. Validate the combined pem file: 
    openssl crl2pkcs7 -nocrl -certfile certificate-with-10-year-key.pem | openssl pkcs7 -print_certs -noout
  19. Create pfx from the combined pem file using: 
    openssl pkcs12 -export -out certificate-with-10-year-key.pfx -in certificate-with-10-year-key.pem
    and give appropriate pfx password
  20. Copy the pfx file to original server from where we exported the first certificate with key
  21. Open mmc -> Certificates -> Local computer -> Import certificate in personal store with password
  22. After import validate the certificate is visible in personal store with 10 year validity
  23. Double click on certificate and in General page near bottom under "Valid from" it must indicate You have a private key that corresponds to this certificate


Home > Security tips > Generate new CSR by referring existing details from current certificate including private key

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Generate_new_CSR_by_referring_existing_details_from_current_certificate_including_private_key&oldid=7920"