Re: Best Practices CA manage

Wed, 14 Aug 2013 09:30:14 -0700 

On 08/14/13 09:08, Mat Arge wrote:

On Wednesday 14. August 2013 04:10:23 you wrote:

Thanks and as for the last question number (5) I meant I simply replace the
SSL cert and assume there
will be a challenge to accept the new certificate by a browser? I revoke the
old one SSL cert.

I still don't get it. If you have revoked your old root certificate you have to
1. Create a new SSL certificate
2. Install it into the webserver (assuming you are talking about one),
replacing the old one (which has becom invalid)

If a browser should automatically accept your new SSL certificate, you have to
install your new Root certificate as a trusted one, first.

cheers
Mat
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
If your web server has a new certificate, and the web browser does not have the new CA root certificate, then the web browser will prompt you about accepting the new certificated. BUT I have found that IE9 and IE10 are a lot pickier about valid certs than IE8 was. You may find that they will not be happy if they cannot verify the certificate chain. So it is probably safer to plan to redistribute the new CA root certificate.
Openssl has an option to renew certificates. I don't know if this applies to CA certs. Also, even if you generate a new CA cert it should still have the same public key as the previous CA cert (assuming the same CA private key is used.) So if, for example, your CA cert expires Dec 31, 2013 but the web server cert expired Dec 2013, 2014- you probably wouldn't have to regenerate a new web server cert at the same time as the CA cert. But you still need to push the new CA cert out with the updated expiration date.
So you probably DON'T want to revoke the old one , but instead of have an overlap period between the old a new certificate. This assumes your CA private key has been kept secure. (Some people recommend keeping your root CA offline once intermediate CA's have been set up.) 





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to