i just fell over this issue, when i was planing some CA/PKI-Rollover Scenario
so - i come to the conclusion - this gone give some really havy problems
and one day you have to do it... especially in a running environment this looks like it gonna give some real problems:
situation:
- usaly you have a ca signing certrequests so that the validity of the cert doesn't exceed the validity of the ca-cert
- that means - if you have a maximum issuing time for certs of 1 year that this ca will issue tha last year of its existense only crls but no more certificates
- so you do than a ca/pki-rollover - means, you do a new ca-cert and setup a new pki-structure for it to use
BUT
- now we get into trouble, maybe i oversaw something, i hope so really but at the moment i can't find the easy solution i'm actually looking for... which isn't that good
- so we have TWO CA with TWO CRLs for the timespan when ca-old issues only crls and ca-new will do the new-certs and its own crl for that
- but as far as i see this right now - the pix or lets say scep can just handle one ca - yeah and here we have a real problem right ahaed
- so if we approve the new ca - we loose validity of certs for the old one, but they are still valid, actually - and we can't proof for crls of the old one two
so that means, all client-certs of the old ca has to be reissued by the new one, afte the day this gets into, lets call it active state and the old one is in, lets call it passive state (means crl-signing only)
but this means - a lot of work and maybe unneccessary troubles - but i see no other chance to handle this at the moment?
but i think, since this shouldn't be a tooo knew issue - how does other handle this? set the lifetime of the vpn-ca to 10 years (or something around that) or what? so one just hopes - that scep or lets say the pix or other equipment by then can handle more than one ca in parallel, to get this really working?
thanks for any suggestions ;o) - i mean this issue stays even with a more complex setup using maybe a long-term-root-ca this issue is still not solved - since i get a root-ca-rollover somewhere in the future
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
