ray v wrote: > Alicia, > > Thank you for getting back to me > > I need to take the Root CA certificate/private key and > > change the modulus from 512 bit to 2048 bit. I assume > that I have to make a new Root CA Certificate request > and then sign it with the old one?
You cannot prolong the keys from 512 to 2048 bits, so you will need to generate a completely new key. The idea of additionally signing the new key with the old one is perfectly valid in theory. On the other hand: If you have to update the key of your CA because the old one is too short (= not secure any more), then the trust by such a signature is limited. And: You might run into troubles with some other clients than IE or Outlook. The handling of cross certificates is pretty poor in many applications. If this really catches your interest, you might have a look at http://www.dfn-pca.de/bibliothek/reports/pki-linking/ Regards, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
