Way back in '97 Holger wrote:
> If you don't insist on a consistent index.txt for the ca prog you might do
> something along the following lines (not tested):
>
> x509 -in old_cert -out new_cert -days xxx -sign_key ca_key
I gave this a try just now. The big problem is that you end up with a
new cert which has the same hash as the old one, but a different
signature. So if you simply install it on a host inplace of the
old_cert, all the old certs fail on the signature.
I did find though that puting the following in certs:
hash.1 -> old_cert
hash.0 -> new_cert
allows old certs to verify, but they will still need re-issuing once
old_cert expires.
Bright ideas - other than new certs?
--sjg
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
