Hi!
My root-cert will expire in a few months. I'm now planning a migration
to renew the certificates. The goal is to ensure a seamless migration
without loss of service by updating the servers and clients certificates.
Currently I'm lacking a plan how to do the migration. The problem is
that I cannot change all certs at a time but must somehow make sure that
the client cert can connect to the old and the new server certs so that
I can update all client certs first, and once that is completed then
update the server certs.
I could also do it the other way: Update the server certs first so that
they accept connections from both, the new and the old client
certificates and once that's done, update all client certs.
Here are the details:
I'm running a project with a few hundred servers a few thousand clients
connecting to these servers. For each (group of) server(s) there is a
set of clients that may connect to these servers. When this was set up
long time ago the structure was this:
root-cert
group1-cert (signed with root cert)
server1-1 cert (signed with group1-cert)
server1-2 cert (optional)
client1 cert (signed with group1-cert)
group2-cert
server2 cert
client2 cert
[...]
All connections are authenticated using certificates. A group1 client
can only connect to a group1 server (and not to a group2 server) and the
group1 servers will also reject connections from any peer except those
with a group1 client certificate.
I have generated a new root certificate and I can easily generate new
group, server and client certificates but I haven't found a way yet how
to do the migration.
Is there a way I can create new client certs that can connect to the old
AND the new server certs?
Help will be appreciated!
Regards,
T.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
