How can I renew my certificate authority signing key?
You have two issues to contend with. First is the continuity of end-entity (server and user) certificates. Second is the changing of the Root CA.
Is there a way I can simply create a new ca.crt file with a longer expiry date?
Yes, but see the details below.
The first issue, continuity of end-entity (server and user) certificates, is mostly resolved by using the same public key when you roll over your Root CA.
The new self-signed Root CA will still need to be installed into the relevant trust stores, but the key continuity means the end-entity certificates will not need to be re-issued. If you use a new public key for the Root CA, then you will need to reissue all of the end-entity certificates.
The second issue, rolling over the Root CA, must happen because its expired. This is the same problem as re-certifying a Root CA because the hash is changed from SHA-1 to SHA-256 to comply with CA/Browser Baseline Requirements. A number of CAs have done this in real life.
The impact of the rollover can be lessened by using the same public key. This will also help with enhanced security controls, like pinning a CA's public key. If the CA certificate is pinned (as opposed to the public key), then it will create a lot of extraneous noise in tools like Cert Patrol.
To roll over the CA, you need to create an "equivalent" Root CA certificate (or as close to equivalent as can be). The way user agents uniquely identify a certificate is outlined in RFC 4158, Internet X.509 Public Key Infrastructure: Certification Path Building.
The short of RFC 4158 is the pair {Subject Distinguished Name, Serial Number} can be used to uniquely identify a certificate in a store. As a CA or Issuer, you are supposed to ensure serial numbers are unique, even if you re-certify.
End-entity certificates have additional ways to be uniquely identified, including the Authority Key Identifier (AKID). In fact, a server's certificate can use a hash of the Issuer's {Subject Distinguished Name, Serial Number} as its AKID (if I recall correctly).
You seem to have figured out how to create a self signed CA certificate, so I won't discuss the OpenSSL commands.
The real problems occur when your public/private key pairs are compromised. You can't roll over your CA under the existing public key, so you have to issue a new Root CA certificate and re-issue all end-entity certificates.
To recap, here are you actionable items:
- Use same public key for CA
- Use same Distinguished Name for CA
- Use new Serial Number for CA
- Install newly issued CA on all client machines
- Do not re-issue end-entity certificates
Best Answer
Normally, you shouldn't have to worry about issues like this.
When you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. 1
See Microsoft KB 2328240: "Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server"
There is a "Fix it for me" download available at that page, or directions for manually fixing the problem.
After applying the update, and rebooting, the next time you visit the site, your computer should automatically download the CA certificate. Restarting the browser, and re-visiting the site should be successful.
1 - This was paraphrased from the description found in Group Policy Editor (gpedit.msc): Administrative Templates/System/Internet Communication settings/Turn off Automatic Root Certificates Update