Mike Schmidt wrote:
because this isn't supported right now, the awarnes of ca-rollover just slowly aproaches on the surface, even in established environments...Hi,
This process is not clear to me. Sorry for the questions, but I just read this thread and ended up understanding even less than I thought I understood.
How does this exactly work? We set up a new CA on a different ip address? How does the previous CA cert remain available for verifications? Where is it cached? Why can't we use the current CA with a new (second) CA cert?
(usaly the problem of ca-rollover is 'solved' throug long term root-ca
certs... which isn't really nice)
so what they mean is: you just setup a new pki - which have a new ca-key and cert and issues the new certs and keep the otherone running for crl issuing
you need to have in any case both certs and crls available and both crls on different cdps otherwise a client couldn't verify old certs issued by the old ca-cert which is still valid
the support for ca-rollover will be available in 0.9.3 and it will be quite unique i think you won't find that in a lot of even comercial products, but it isn't finished right now...
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
