On Wed, 7 Feb 2001, John Douglass wrote:
> Is anyone playing around with certificate renewals?
>
> I'm trying to figure out how to accomplish this given:
>
> 1) Certificate is installed in the browser already
> 2) I have the certificate (SPKAC) file on the CA
> 3) I have the signed public key on the CA
>
> In order to "renew" do I:
>
> A) Need to "resign" the SPKAC request
>
> or
>
> B) Apply modification of the signed public key (with the appropriate
> commands, then cat to the browser) and update the "index.txt"
> file that OpenSSL uses?
>
> I was originally attempting to revoke, resign the SPKAC file
> faking the "serial" number, but OpenSSL didn't like that.
>
> >:)
I think I figured it out. I just need to resign the SPKAC
file and then cat that to netscape. It does the pairing
up with the private key. Netscape automatically selects the
latest certificate associated with the key. However the browser
does have record of the OLD signed key (which you can view/delete
at will). There is a new serialnumber associated with the certificate
but the old serial will be expired soon at any rate.
Since we're not doing Digital Signature or S/MIME with our certs,
this will probably work for us. I'll have to test the
S/MIME behaviour at a later date to see if this method of renewal
still allows for the encrypted info to be read.
If anyone has a better suggestion or more experience than I, I'd
love the correction in my implementation.
- JohnD, Georgia Tech
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
