0

Say, I create a CSR with OpenSSL and send it to a Root CA for signing. Let's assume that the certificate was issued for 2 years. Two years are almost over and the certificate is about to expire. Do I have to still have to original CSR to extend it, or how is it handled ? Or will I get a new certificate after this 2 years?

cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • Apart from being mostly a duplicate: you can create a CSR from an existing certificate if you just want to renew it and thus there is no need to preserve the original CSR. – Steffen Ullrich Sep 12 '17 at 13:24
  • @SteffenUllrich how would I do this ? – cyzczy Sep 12 '17 at 13:27
  • @adam86: A [simple search](https://www.google.com/search?q=create+csr+from+certificat) leads you to [Generate CSR from existing certificate](https://security.stackexchange.com/questions/104139/generate-csr-from-existing-certificate). – Steffen Ullrich Sep 12 '17 at 13:58

1 Answers1

1

Your CSR is essentially a wrapper for your public key, along with some identifying information (domain, organization name, locale, region, country etc.) and a digital signature (using your private key, verifiable using the public key that it contains)

The Root CA you're using for signing will determine how many of these fields are really necessary; at a bare minimum a CA will only pull the public key from your CSR, so the answer really comes down to checking with your CA what they need. Most CAs I know of will support a certificate 'renewal' (generating a new certificate that is nearly identical to the existing one, but with a new validity period) from the original CSR. They will also typically allow you to optionally provide a new CSR to change the public key, and either enforce that the other information is the same or simply ignore any differing information in the new CSR.

As an example, Entrust Datacard's retail certificate purchasing wizard pulls the domain, public key, and any Subject Alternative Names from the CSR and discards everything else. The Organization information fields and certificate validity period are populated through their UI.

Matt Slonetsky
  • 197
  • 4