Openssl upgrading and certificates

[Blaqb0x]

Hi,

I was wondering about upgrading openssl and certificates made using the older versions of openssl. If I make a certificate with one version then then some vulnerabliility comes out. If I upgrade to the new version of Openssl then the certificate made with the old version still has the vulnerabilities of the older version. So would I have to recreate the certificate? Doesn't that change the actuall signature of the certificate and cause problems.

Thanx

[tolstoy]

Did you sign your certs yourself or are they signed by a root CA like Verisign? If you signed them yourself, I would just recreate them. If you went with someone like Verisign, then I think you can have them reissued for about $100. Of course, you'll have to go through the whole bit about sending them a new CSR, having your old certs put on a revocation list, and all that jazz. I'm imagining all of which is not too hard.

However, I don't think that upgrading SSL will effect your certs unless you somehow delete your public/private key pairs in the process. Also, I'm not so sure that OpenSSL vunerablities effect the cert it generated so much as the SSL service itself. Most of what I have seen posted at CERT.org concerning OpenSSL are buffer overflows. None of the fixes mention resigning your certificate. I would only recreate certs if you were interested in using a higher cipher strength or a different encoding scheme.