For a internally used webbased software, which must be available from everywhere, I have created client certificates which are installed in the browsers of authorized consumers.
Now, with 2012 being over, all of them are expired and need a renewal. I've given out PKCS #12 certificates (.p12)
Here my questions
- Is it possible to extend the client certificate lifetime?
Do I have to reinstall the certificate on all clients or is there another way (e.g. centrally from the server, some kind of update mechanism maybe)?
How do I renew / regenerate client certificates using openssl on linux?
Because this might be of interest, here is how I created the browser certificates
# client private key
openssl genrsa -des3 -out client.key 1024
# generate certificate signing request
openssl req -new -key client.key -out client.csr
# create certificate, sign with server key
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# export into pkcs12
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12