PKI succession is a process that has had little discussion or documentation in the industry (some implied PKI succession planning in SET, but not explained in a general PKI context). For private hierarchies, it is much easier to plan for succession as the initial hierarchy is designed. This allows a PKI succession timeline to be established within the validity dates of the CA root (and its subordinates).
Do you actually want to renew or issue a new CA with the same DN? It is best practice to generate new keys and self-sign a new CA certificate with the same DN. Not advisable to re-use old CA keys.
If there is a concern about new root certificate distribution, continue to use the old hierarchy in servers until its expiration and distribute the new root with the newly issued end-entity certificates. The old root CA certificate will remain in cache for continued validation of the old hierarchy, but the new CA certificate (also installed in cache) will validate certificates issued in the hierarchy as they are used.
The issue is that your window for reissuance of certificates is tight. In many cases, it is desirable to begin issuing under a new CA a year to 18 months away from the expiration of the old CA to facilitate a smooth transition from one CA hierarchy to its successor.
Please contact me off-list if there are specific questions or issues in your PKI succession.
Bill
Jose Ramon Roca wrote:
We are using OpenCA 0.9.1 an our CA certificate. is about to expire in a few mouths. In the 0.9.1 version there is no file renew_ca in the bin directory. Which is the correct way to renew the CA ??
Thanks in Advance.
------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
