Hi David,
I found your question quite interesting, I thought it wasn't possible in
the beginning but I found some documentation related to this stuff after
some time.
http://www.qxmail.com/bio/structuredarts/docs/edu/reissue.htm
This link is documentation related to how to reissue the Root CA
certificate by using Netscape Certificate Server (propietary software),
anyway I think it's nice to reissue your Root CA by using OpenSSL, it
makes sense what it says.
Here comes the magical recipe:
1) You must generate a request (pkcs#10) with the same Distinguish Name
and NotBefore (beginning date) fields (I would also use the same
EmailAddress...). The NotAfter must be older than the first one. The
extensions must be also the same (nsCertType, nsX...).
2) Use the same Private Key to self-sign the Root CA cert.
3) Load the new Root CA cert to all server and clients.
I didn't try this and I cannot do it at this moment, so let me know how
everything goes.
Pablo
David wrote:
Hello list,
I've a some questions about reissuing of CA certificates. Imagine I've
got
the following hierarchy within my PKI.
TLCA
|
CA
|
end-entities
If the CA-certificate is about to expire before the certificates
of the end-entities do, can i reissue the CA certificate with an extended
validity period to work around this ?
If yes,
Can I do this by issuing a certificate with the same public-key, CN and
subjectKeyIdentifier from the current CA-certificate? Cause that are the
only "fields" which are used within the verifying process, if I'm right.
I hope someone can shine some light on this situation,
Thanks in advange,
David
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]