existing x509 certificate how to add extended key usage

existing x509 certificate how to add extended key usage

I have an existing X509 certificate, can I still add an extended key usage item to it now (codesigning) ?

Or do I have to create a new cert? The extended key usage is written to the public key, right?

If it is possible to add an extended key usage item to existing cert, would be great if you have the required openssl command at hand :-)

Thanks a lot !!!

答案1

It is impossible to make changes to an existing certificate. Any changes would invalidate the certificates signature. Certificates without a valid signature are treated as invalid.

答案2

What you ask for is certificate modification. This is possible, but only by the CA that issued your certificate. This is because only the CA can use its private key to sign the certificate. Any change without it being re-signed by the CA's private key would invalidate the (original) signature - that's the whole point of digital signatures.

However, if you are the CA then you can re-sign the certificate signing request again with the correct extension added. As long as you don't generate a new key-pair (don't use -newkey, use -key <original private key file> instead), you will, by definition, end up with a modified certificate. In your case, you will need to keep the same Subject Name too.

You will have to be careful though if you've already distributed your first certificate, simply because you will end up with two certificates for the same subject with different key usages.

相关内容