11

I'm a newbie in computer security and I have a basic question whose answer I've not been able to find out.

I have a private key whose validity period has expired. Using that key I'd previously generated a .csr and sent it to a CA and they'd given me a certificate that's still valid.

My question is, can I (using keytool or whatever...) modify the private key's expiration date in order to use it with my certificate (.cer). Could I regenerate a private key to be used with this certificate?

Thank you,

user1031431
  • 1,475
  • 6
  • 17
  • 24
  • 8
    Private keys (or public keys for that matter) don't expire, certificates do. – Bruno Jul 29 '14 at 21:54
  • 1
    *"Could I regenerate a private key to be used with this certificate"* - you can, but you should not. In the old days, key management and key rotation was practiced like a religion (it still is). But what we've found in practice is its better to honor key continuity and re-certify or re-use the same key (sans a key compromise). Then, systems utilizing defense-in-depth and security diversification techniques can do things like Trust-On-First-Use (TOFU) and Pinning. If the key changes regularly, then it breaks TOFU and Pinning. A MitM should set off alarm bells when the key unexpectedly changes. – jww Jul 30 '14 at 00:30
  • This question appears to be off-topic because it is not related to programming. Ask on http://security.stackexchange.com – Eugene Mayevski 'Callback Aug 01 '14 at 15:30

2 Answers2

10

No.

The validity period is in the certificate, not the private key. Certificates cannot be modified, and the only entities that can generate valid certificates are the certificate authorities.

You will have to pay for a new certificate. Certificate expiration is a safety measure, but also a way to get recurring customers.

ntoskrnl
  • 5,714
  • 2
  • 27
  • 31
  • Thank you for your answer. Actually the .cer is valid until 2015 but I'm unable to use it because the key pair validity date (keytool's validity parameter when creating the key pair) has expired. Any idea? – user1031431 Jul 29 '14 at 21:21
  • 1
    *"Certificate expiration is a safety measure..."* - Google and a few others rotate their certificates every 30 days or so, but re-certifies the same public key. They do so to keep the CRLs small for mobile clients. I don't believe there are any security reasons (modulo key continuity). That's why [CertPatrol](http://patrol.psyced.org/) can't handle sites like Gmail without spurious noise. – jww Jul 30 '14 at 00:36
  • *"You will have to pay for a new certificate..."* - [StartCom](http://www.startssl.com/) and [CACert](http://www.cacert.org/) offer free certificates trusted by most mobile and desktop browsers. They are Class 1 certificates (domain validation, no wildcards). They charge for revocation, if needed. They charge for certificates at Class 2 or higher. – jww Jul 30 '14 at 00:40
8

keytool -genkeypair does more than generating a key pair: it generates a pair of public and private key, and wraps the public key into a self-signed X.509 certificate generated on the spot with the various options given (-dname, -validity, ...). It puts them together into the alias you choose (a private key entry will associate a private key and a certificate, or a certificate chain of length 1, to be precise).

Those options affect this self-signed X.509 certificate, not the key pair itself.

Normally, if you don't want to use a self-signed certificate, you produce a CSR based on this public key and the characteristics of this self-signed X.509 certificate (the structure of a CSR is in fact very similar to that of a self-signed certificate, but it doesn't have issuer or validity dates). That CSR is then used by your CA to issue an X.509 certificate (this time, signed by that CA).

You are meant to import it again into that alias, to be able to use the certificate with its private key. If your self-signed certificate (or an older certificate matching this private key) has expired, re-import the certificate that is still valid.

In fact, if there are intermediate certificates, you should not only import that certificate, but the certificate chain (see this question and this question).

If your .cer file is in DER format (binary) and not PEM format (base64-encoding of the DER format), you can convert it into PEM using openssl x509 -inform DER -in mycert.cer -outform PEM -out mycert.crt and use the result to build the chain and import it.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • `keytool -import -v -alias privateKeyAlias -keystore theKeyStore.jks -file abc123456def.crt -trustcacerts` dont forget the "trustcacerts" param to replace the public key with the signed one the CA sent you ! – François Breton May 10 '19 at 18:05