Hi,
This process is not clear to me. Sorry for the questions, but I just read this thread and ended up understanding even less than I thought I understood.
How does this exactly work? We set up a new CA on a different ip address? How does the previous CA cert remain available for verifications? Where is it cached? Why can't we use the current CA with a new (second) CA cert?
Mike
Martin Bartosch wrote:
Hi Jaime,
Thanks for the help, i will start a new CA as soon as posible. HowThats right, but most security folks dont like such long times - I
long expiration time should be ok for a corporate ca cert, 20 or 30
years?
Seems that verisign and entrust use 20 or 30 years for their ca certs.
suggest 8 years - so if you issue 2 year-valid enduser certs you have 6
years "usage" time
I agree on Olivers opinion. 8 years sounds reasonable. If you really want to address CA rollover properly, issue a new CA after 4 years and use the new one for issuing certs from then on. The old CA should only be used for issuing CRLs. That way you are able to issue end entity certs with a maximum validity of four years at any given point in the CA lifecycle.
Martin
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
