On Wed, Oct 17, 2007 at 08:34:56PM -0700, Jim Fox wrote: > > This was a certificate authority certificate. As such, the renewal has to > have > the same key and DN as the original in order to continue being a CA > for previously signed certificates.
Further, it won't be a trust root until it's distributed and the recipients are satisfied that it is legitimate. And I think that's the real question: When my CA's certificate expires, can I update it without having to deliver copies securely to everyone who is supposed to trust my CA? The answer to *that* question had better be "NO". It truly doesn't matter whether you made a new certificate or updated the old one, because in either case you must distribute it again in a trustworthy manner or nobody will trust it. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
pgpBe6yBeomvJ.pgp
Description: PGP signature
