EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to renew a certificate?

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#22003
Posted: 10/15/2012 10:29:14
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

According to the official documentation about the certificate renewal, to renew a certificate, we need to load the certificate which you wish to renew and it's corresponding private key into the TElX509CertificateEx object, and then reset some properties (ex: valid period)......finally, we need a CA certificate which was used to sign the original certificate, along with CA private key.

As mentioned above, the problem is that where the operation should be done, client(ActiveX) or the CA side? So far as I know, it's impossible to load the CA private key to client side, or the client private key to the server side, because either one of them does not make sense (exposure risk of the private key), right?

How to renew a certificate valid period securely on earth? Help please!
#22004
Posted: 10/15/2012 10:33:03
by Eugene Mayevski (EldoS Corp.)

The operation is done on CA side, which signs the [public part of] the certificate.

There's no need to upload private key to the server.


Sincerely yours
Eugene Mayevski
#22005
Posted: 10/15/2012 10:41:52
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

Does the documentation need updating?
#22006
Posted: 10/15/2012 10:46:51
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Could you please clarify what exact documentation writes to the contrary.
#22007
Posted: 10/15/2012 10:57:24
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

http://eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_renew.html?sphrase_id=407376

the documentation which mentions to load the both private keys of the client and CA, do I misunderstand?

Quote
To renew the existing certificate (i.e., to generate a certificate with the existing key material) using ElX509CertificateEx class use the following sequence of operations:


1.load the certificate which you wish to renew into ElX509CertificateEx object. Remember that it's absolutely necessary to load a corresponding private key too (certificates stored in PFX format are usually stored with a corresponding private key).
2.set up properties for a new certificate (e.g., validity dates, extensions etc.). It is recommended to keep the serial number, since many applications distinguish certificates by their serial numbers.
3.set PreserveKeyMaterial property of ElX509CertificateEx class to True.
4.call Generate() method of ElX509CertificateEx class. When PreserveKeyMaterial property is set to True, algorithm and key length parameters of Generate() method are ignored.

Note, that you can renew both self-signed certificates and certificates signed by some other CA. In the latter case, you will need a CA certificate which was used to sign the original certificate, along with CA private key.
#22009
Posted: 10/15/2012 11:09:52
by Eugene Mayevski (EldoS Corp.)

Checked this ... Paragraph 1 simply fails to mention that the private key is needed for self-signed certificates only.


Sincerely yours
Eugene Mayevski
#22010
Posted: 10/15/2012 11:14:11
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

OK, I see, thanks for your prompt reply!
#22011
Posted: 10/15/2012 11:16:48
by Eugene Mayevski (EldoS Corp.)

There's no issue here.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 783 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!