[Howto] Changing the expiry date of GPG keys

920839987_135ba34fff
GnuPG keys can have an expiry date. When the key expires, it cannot be used to encrypt data anymore, and thus is a good way to enforce security measures. However, what most people does not seem to know is that this expiry date can be changed quite easily.

Setting an expiry date for a GPG key is usually a good thing: it makes sure that even if you forget the password and do not have a revocation certificate the key will not be valid at some point in the future. Additionally it might force users to replace keys ever so often to enforce specific security measures. Last but not least it forces the key owner to think about his or her own GPG infrastructure and if changes are needed.

Still, there might be times where it makes sense to change the expiry date – if only because you realized that your GPG keys are all fine.

First, you need to know the key ID, in this example ABCDEF12:

$ gpg --list-keys liquidat@example.com
pub   2048R/ABCDEF12 2012-09-10 [expires: 2032-09-10]
uid                  liquidat <liquidat@example.com>
sub   2048R/BCDEF123 2012-09-10 [expires: 2032-09-10]]

With that ID at hand you can now edit the key:

gpg --edit-key ABCDEF12
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/ABCDEF12  created: 2012-09-10  expires: 2013-09-10  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/BCDEF123  created: 2012-09-10  expires: 2013-09-10  usage: E   
[ultimate] (1). liquidat <liquidat@example.com>

gpg>

As you see this key is going to expire in fall 2013. The gpg> indicates a prompt, so you are basically at a gpg specific shell. So, let’s actually change the expiry date:

gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Fri May  6 15:45:42 2016 CEST
Is this correct? (y/N) y

You need a passphrase to unlock the secret key for
user: "liquidat <liquidat@example.com>"
2048-bit RSA key, ID ABCDEF12, created 2012-09-10

The passphrase is usually queried by standard means, so on a desktop systems a pop up windows should come up asking you for the passphrase.

Afterwards, list the key again to check the new expiry date:

gpg> list
pub  2048R/ABCDEF12  created: 2012-09-10  expires: 2016-09-10  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/BCDEF123  created: 2012-09-10  expires: 2013-09-10  usage: E   
[ultimate] (1). liquidat <liquidat@example.com>

gpg>

As you see, the expiry date has only changed for the first key, but not for the pub key. The edit procedure is always for one key only. Thus, change the focus from the first key, called “key 0”, to the sub key, “key 1”. A star sign * will indicate the focus on the subkey:

gpg> key 1
pub  2048R/ABCDEF12  created: 2012-09-10  expires: 2016-09-10  usage: SC  
                     trust: ultimate      validity: ultimate
sub*  2048R/BCDEF123  created: 2012-09-10  expires: 2013-09-10  usage: E   
[ultimate] (1). liquidat <liquidat@example.com>

gpg> expire

Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Fri May  6 15:45:42 2016 CEST
Is this correct? (y/N) y

You need a passphrase to unlock the secret key for
user: "liquidat <liquidat@example.com>"
2048-bit RSA key, ID BCDEF123, created 2012-09-10

gpg> list
pub  2048R/ABCDEF12  created: 2012-09-10  expires: 2016-09-10  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/BCDEF123  created: 2012-09-10  expires: 2016-09-10  usage: E   
[ultimate] (1). liquidat <liquidat@example.com>

As you see, you are done, both dates are changed now. The changes finally need to be saved:

gpg> save

And, last but not least, don’t forget to upload the updated public key to the key servers:

$ gpg --keyserver pgp.mit.edu --send-keys ABCDEF12
gpg: sending key ABCDEF12 to hkp server pgp.mit.edu

Short Tip: Check configured virtual hosts in Apache

920839987_135ba34fff
Whenever you have to debug virtual host setups in Apache, checking the actual running virtual host configuration is a good first step. This can be done with the -S option used on the Apache binary: It lists all running virtual hosts and performs a syntax check.

On Fedora, RHEL, CentOS the Apache binary can be found on /usr/sbin/httpd:

# /usr/sbin/httpd -S
VirtualHost configuration:                                                        
1.2.3.4:80      me.example.net (/etc/httpd/conf.d/me.conf:5)
2.3.4.5:80      others.example.net (/etc/httpd/conf.d/others.conf:1)
2.3.4.5:443     others.example.net (/etc/httpd/conf.d/others.conf:38)
Syntax OK

On Debian systems the call is almost the same, you just have to source the environment variables upfront, and the binary has a different name for historical reasons:

# source /etc/apache2/envvars
# /usr/sbin/apache2 -S
VirtualHost configuration:                                                        
1.2.3.4:80      me.example.net (/etc/apache2/sites-enabled/me.conf:5)
2.3.4.5:80      others.example.net (/etc/apache2/sites-enabled/others.conf:1)
2.3.4.5:443     others.example.net (/etc/apache2/sites-enabled/others.conf:38)
Syntax OK

you might run into an error about user names, in such cases it is helpful to call upfront.

Short Tip: Test TLS connections on command line [Update]

920839987_135ba34fff

When you set up the TLS encryption of a web or also of an IMAP server like Dovecot it is sometimes handy to test the encryption on command line level, to see what really happens there. A good tool to do just that is openssl:

# openssl s_client -crlf -connect www.example.net:993
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.

Afterwards, if you want to for example try an IMAP login, the command is as follows:

A login user password
A OK User logged in
A OK [CAPABILITY IMAP4rev1 ...
A status INBOX (messages)
* STATUS INBOX (MESSAGES 0)
A OK Status completed.
C logout
* BYE Logging out
C OK Logout completed.
closed

At the same time, if you want to test HTTPS encryption:

$ openssl s_client -crlf -connect www.example.net:443
CONNECTED(00000003)
[...]
---
GET / HTTP/1.0

HTTP/1.1 302 Found
[...]

Short Tip: Generate SSL/TLS fingerprints to verify web page certificates

920839987_135ba34fff
When you try to connect to a web server which has a certificate signed by an unknown root ca, you can compare the TLS/SSL fingerprint of the server with the one of the certificate. For example, if you use your Android phone to securely connect to your own server the phone might not have the root ca of your TLS certificate and thus presents you the fingerprint for you to verify.

Thus, beforehand you have to calculate the TLS fingerprint of the server certificate. This can be done with a single command:

# openssl x509 -noout -fingerprint -in /etc/pki/tls/certs/www.myserver.de.public-cert.ssl.crt 
SHA1 Fingerprint=84:C2:9D:59:47:23:A6:38:22:C0:0B:39:6D:A8:BB:D8:0B:7B:EA:09

[Short Tip] Generate SSH fingerprints

920839987_135ba34fff
Whenever you open a ssh connection to your server from a new computer, you should will be shown the ssh fingerprint of the machine to verify if you are really connecting the machine you are aiming for. Thus you should have the the SSH key fingerprint at hand. The fingerprint can be easily calculated directly on the server with a single command:

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 07:86:16:03:b0:75:7e:74:be:49:77:86:3b:cb:92:a9 /etc/ssh/ssh_host_rsa_key.pub