How to replace a revoked certificate

Suppose that you has revoked a valid certificate by mistake. When you find that you still need it, it cannot be returned. Once revoked, the certificate is set invalid and cannot be revived or restored. You cannot use its serial number, because it's unique within one CA (here CAcert).

However, if you have the original CSR (Certificate Signing Request), or at least the corresponding private key, you can let CAcert issue a new certificate with the same key pair as the original one. It will have another serial number and expiration date. But this usually does not matter, if the function of the necessary application/site isn't tied to the certificate serial number.

You have certainly had a private key to the original certificate. It didn't even emerge, or changed. Look for it on the device that used the original certificate, or in backups *.p12 or *.pfx. These backups usually contain a private key, your certificate and root certificate(s) of the issuer (here CAcert). However, after revoking your certificate, its backup will no longer help you.

Issuing using the former CSR

This procedure is very simple. If you have CSR saved in a file, then it's sufficient to re-submit it to issue a certificate, and because the key pair remains unchanged, there is no need to take further steps except installation issued certificate.

Issuing if you only have a private key

For the convenience of users CAcert used and still uses generating CSR directly from the browser. Some browsers are still able to this day, but most of them don't support related <keygen> mark anymore. If your original certificate was created that way, you have no CSR file that could be reused. It is necessary to find a private key and submit it to a program that does create a corresponding public key, re-create the corresponding CSR and save it to the file. Such a program can be graphical API-driven XCA or command line driven OpenSSL.

Using XCA and a P12 backup

If you have the backup of the revoked certificate in a *.p12 file, you have to import a private key into XCA. Go to the Private Keys tab and find the Import PFX button (PKCS#12). (The function accepts *.p12 files.) Enter the backup password.

Enter the password of PFX/P12 file

Now the backup opens and shows all the contained items in the PEM notation.

Select and import the private key only

Choose and import only the private key. Note its name.

The selected private key is imported

Create a new CSR. On the Certificate Signing Request tab, press the New Request button.

The CSR tab

Another window opens. Here you can fill the necessary properties of the new certificate request.

Name the new request

On the Source tab, name the request and select the certificate template.

Select the private key

On the Subject tab, select the name of the imported private key.

Alternative names

On the Extensions tab, add, if needed, alternative names (SANs).

Certificate type requested

On the Netscape tab, select the certificate type from the list. CAcert will complement other certificate data using your account. Finally press OK.

The request is completed

The request appears in the list on the left. You can see its details, after you press the Details button.

Export the new request

Export the created request to a *.pem, *.csr, or *.txt file. Mark the request and press Export. The TXT form of that file is useful, as the file can be easily opened in the text editor, the entire content can be marked and copied to the clipboard (Ctrl-C). The next procedure is straightforward.

The new request - file

Open the exported file and save the entire contents into the clipboard (Ctrl-C).

Submit the new request

Then log on to CAcert website, select the item New (Client or Server certificate) in the menu and submit CSR pasting (Ctrl-V) it into the request field. Complete the action and download the issued certificate. Then import it into XCA, Certificates tab.

An import confirmation

The new crtificate details

After import you can see details of your new certificate. Do not forget to make a backup *.p12/*.pfx.

Importing private keys to XCA is easy, if you have the backup PKCS#12 in the PEM form in a file; it's also the file from which you have imported a private key & certificate, for example, to Android. openssl creates the private key file, see below. The problem occurs when you have a private key, but you can't get it to the file. Backup and simple saving to the file can be used in the following programs:

Therefore, the private key can usually be saved to a backup file, where you will take it from, or it's already in the (e.g. *.key) file.

Using the openSSL program

Suppose you have the private key, corresponding to the revoked certificate, in a *.key file. Then you can use the following command:

 openssl req -new -key <priv_key_file>.key -out <request_file>.pem

The TXT form of the output file is useful, as it can be easily opened with a text editor and mark and copy its contents to the clipboard (Ctrl-C). Now submit the content of the CAcert Web mailbox as described above. Download the resulting PEM certificate as a .crt file.

Now you have both the new certificate and the corresponding private key, which is the private key corresponding to both revoked and new certificates. For some programs it is sufficient, but you need to create a "backup" file *.p12/*.pfx; to do this, use the command:

 openssl pkcs12 -in <issued_certificate>.crt -inkey <priv_key_file>.key -export -out <backup>.p12

To do this, you will have to enter the private key password (1x) and set the backup file password (2x).

The <backup> file contains the certificate and the corresponding private key. It can be imported by the certificate manager under the Personal tab.


HowTo/ReplaceRevokedCert (last edited 2021-06-01 19:16:40 by AlesKastner)