Hi, the problem here is: is the subca key affected ? If so, just revoke the subca cert in the root ca. This should be sufficient. When the path validation is performed, the CRL from the root CA *should* be checked, therefore all the certificates issued by that subCA should be considered invalid as the CA certificate is revoked.
You can issue a new certificate with the same DN - the difference between the new and the old certificate will be the serial number. Indeed, from a standard point of view, what must be unique in a PKI is the serialnumber + DN values. Just one warning: be careful to use the patched/updated version of OpenSSL when you create the new subCA key material. One Suggestion: I found useful to install OpenSSL from scratch in some directory (eg., /usr/local/openssl ) and use the --with-openssl-prefix configure option when installing OpenCA: different distributions disable some features of OpenSSL based on their needs -- this may lead to security problems and/or unwanted side effects. My suggestion, in general, is to not rely on the distributed openssl package because most of the times is outdated and not fully enabled in functionalities. Later, Max Maciej Szuba wrote:
Hello Dominique!! Ok thx for answer. But I don't understand one thing. I think the way to do this is: So first step is revoked user certs on subca and these serials I can find in subca crl , next is revoked subca cert, and root crl include this information. So next step is new generete new cert from subca, subscribe this subca cert in root ca, import back it on subca. I use batch processor to automatics process generating cert for client. But I don't know one thing. The crl on subca include revoked cert??? That is important because client can verificate status old certs. Maybe this is wrong way?? Maybe I only need revoke cert of subca, destroy subca and create new. But what about client. Where they find info about this action that mean crl. I want create new subca that has domaine name the same like this destroy old. Maciej
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
