Re: AW: [Openca-Users] Renew

[Martin Bartosch]

Hi,

--On Friday, July 01, 2005 15:57:13 +0200 Gsandtner Michael
<[EMAIL PROTECTED]> wrote:

> We too want the "renew certificate" in the public interface.
> We changed the configuration in the following way, and it worked.
> Is there any risk or any other reason, why this should not be done ?

this depends on your policy. Generally it is a very good idea to enforce
strict key management, i. e. not using the same key pair more than once.
OpenCA refuses to accept a new request with an existing public key
and I think this is very good.

However, the "renew" function uses the already known public key of a
certificate and allows you to issue a new certificate with the same
key.
Although this does work properly, it is not the best solution from
a security point of view.
IMO, the best approach would be to create a new key pair and reissue the
certificate for the end entity based on the new key.

For your information: in our environment we have set up an
automatic certificate renewal for end entities (currently only Unix,
soon IBM Mainframe z/OS, Windows, Tandem) that is based on SCEP.
I'll publish a GPL'ed script for automatic renewal soon.

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users