Andrew W. Gray wrote:
>
> >I did not get a new or renewed certificate. Does it mean that I have to
> >wait until a certificate has actually expired to be able to renew it?
>
> Shouldn't have to - just revoke it.
>
> see
> http://remus.PrakInf.TU-Ilmenau.DE/ssl-users/archive8/0040.html
> in the archive for step by step instructions of editing index.txt. to indicate
>revocation.
>
> run ca -gencrl to generate your crl (as if they're ever used by anything)
>
> now run your x509 -x509toreq to get your new cert request
>
> now ca should be able to sign it. No It should not have the same serial number.
>
Thanks. This also answered my question about how to revoke a
certificate. So easy and so primitive :-)
Now let us get back to my original question about how to renew a
certificate. Now I know how to do it, but I don't think it is practical
to use.
A user has his certificate and private key, either in his browser or in
p12 file. CA never knows this user's private key. So to renew a
certificate by generating a new cert request (using ca -x509toreq), this
request ahs to come from the user side.
It is not practical to assume that the user knows or has the resource to
do so, and I don't suppose users are willing to give CA their p12 files
and tell CA their passwords.
So, how can I let the user to generate a renew request on the user side?
Thanks. It is getting to be a complete CA.
Weidong
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
