Generate new CSR by referring existing details from current certificate including private key
From Notes_Wiki
Home > Security tips > Generate new CSR by referring existing details from current certificate including private key
This internally refers Openssl. This is not fully tested.
To generate a new CSR from existing certificate and key, then sign it and then import it use:
- On existing server with certificate and key, open mmc -> Certificate
- Export existing certificate with key in pfx format.
- Need to give a password while exporting with key.
- Copy this to a Linux machine with openssl
- Convert pfx to PEM using
- openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
- We need to give password that we gave while exporting key in above steps
- Then use OpenSSL to get CSR with exact same details using below command with "- days 3650" additional option to get 10 years validity:
- openssl x509 -x509toreq -days 3650 -in certificate.pem -signkey certificate.pem -out request-new.csr
- Refer: https://security.stackexchange.com/questions/104139/generate-csr-from-existing-certificate
- Validate the output of CSR using:
- openssl req -noout -text -in <csr-file-name>
- to ensure it has:
... Subject: ST=Telangana, OU=IT, O=Rekall, L=Hyderabad, C=IN, CN=server1.example.com ... Requested Extensions: X509v3 Subject Alternative Name: DNS:server1.example.com X509v3 Key Usage: critical Key Encipherment
- without this we get error of not having DNS SAN or something similar.
- TODO Fix above steps till the csr text output contains proper subject, SAN and key usage
- On Active Directory with Certificate Authority to be used for signing the Request, go to regedit to change default issuing validity from 1 year to 10 years
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>
- Ensure ValidityPeriod is "Years" (Default)
- Set ValidityPeriodUnits to 10 in Decimal (Default is 1)
- Close regedit
- Open "Administrative Command Prompt" and run
- net stop certsvc
- net start certsvc
- Refer: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/change-certificates-expiration-date
- Then on AD server open Start Menu -> "Windows Administrative Tools" -> "Certificate Authority" in AD server
- Right click on CA -> All Tasks -> Submit new request and use the above request
- Go to Pending Requests -> All Tasks -> Issue
- Go to Issued Certificates -> Open certificate -> Go to Details
- Ensure that certificate is valid for another 10 years
- click on 'Copy to file' button to export this certificate to import in original server
- Copy the exported signed certificate from issuer to Linux machine
- On Linux machine convert from der to pem format using:
- openssl x509 -inform der -in certificate.cer -out certificate.pem
- Then copy old expiring certificate with key pem format file to a new temporary file (Eg certificate-10-year-with-key.pem)
- In this new temporary file remove old server certificate and copy 10 year validity pem certificate in its place (Replace --BEGIN CERTIFICATE-- till --END CERTIFICATE-- only for server. Dont replace private key or CA certificate
- In the PEM file we should have before --BEGIN PRIVATE KEY--:
Bag Attributes Microsoft Local Key set: <No Values> localKeyID: ... friendlyName: ... Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider Key Attributes X509v3 Key Usage: 10
- In the PEM file before Server certificate we should have values similar to:
- subject=/C=IN/ST=Telangana/L=Hyderabad/O=Rekall/OU=IT/CN=server1.example.com
- Validate the combined pem file:
- openssl crl2pkcs7 -nocrl -certfile certificate-with-10-year-key.pem | openssl pkcs7 -print_certs -noout
- Create pfx from the combined pem file using:
- openssl pkcs12 -export -out certificate-with-10-year-key.pfx -in certificate-with-10-year-key.pem
- and give appropriate pfx password
- Copy the pfx file to original server from where we exported the first certificate with key
- Open mmc -> Certificates -> Local computer -> Import certificate in personal store with password
- After import validate the certificate is visible in personal store with 10 year validity
- Double click on certificate and in General page near bottom under "Valid from" it must indicate You have a private key that corresponds to this certificate
Home > Security tips > Generate new CSR by referring existing details from current certificate including private key