Hi Andreas: Andreas Grimmel wrote: > Hello list, > <snip> > I got one big problem for now: My self-signed CA cert will expire in > about one month. I installed it 4 years ago and never minded about, but > now I have to renew it.
> The Creation of a whole new CA and client certificates isn't possible > for me because of the large number of clients using my certs (VPN > Roadwarriors, Webservers, Mailservers, and so on). > Since I didn't find very much useful information on the net concerning > the renewal of certificates (might be I did the wrong searches?), I want > to ask you some points: > > - First of all, is there any HowTo that deals not only with creaton, but > also with the renewal of self-signed CA certs in detail? > That depends on what you need to do by policy for renewal. There is no such thing as "technical renewal" - there is only policy based. Since this sounds like an ad-hoc CA without a formal Certificate Policy, you have some choices: 1: Assuming that you've got a sane key length (RSA 1024 or greater), just create a new, self signed certificate with a new validity period and the exact same name as your old one. That way, you'll be able to just keep issuing CRL's with the same keys, and nothing will break. You'll have to distribute out the new certificate to your relying parties, but you'll have to do that no matter what you do. 2: If you're also worried about the private key possibly being compromised due to length of time in service, here's what you do: a: Create an entirely new CA IMMEDIATELY, and only issue new end entity certificates from that CA. b: Keep your old CA around until it expires, and keep issuing Revocation information on those certificates. c: Distribute out the new CA Certificate from (a) to your relying parties. If the lifetime of the CA is now less than the remaining validity of the end entity certificates, I would strongly suggest, if possible, that you do option 1. Otherwise, you're sort of stuck. All of the above is possible using your fairly normal OpenSSL CA commands. > More detailed, and for addressing my actual problem right now, I'd need > to know > - Is it possible to renew a CA cert that way, that those user certs > which I signed with the old CA cert shortly (means less than one year) > ago, still remain valid? This depends on: 1: If you do (1) above, if you give the relying party the new signing CA certificate 2: If you do (2) above, if the client actually checks for CA certificate validity (you'd be amazed at the number that don't :) > - if yes, how would I manage this using the good old openssl commands ? > I'm not sure I understand - as I said above, there is no such thing as technical renewal. The only thing that a CA can do is Sign and Revoke. So everything else is just a function of that. And since your running a CA and issuing and revoking certificates, I can probably safely assume that you know how the commands sign and revoke certs :) > - I assume I have to replace the old with the new CA cert on every > client machine where it is installed, as long as I don't set up a web > based (e.g. url-fetching) mechanism - correct? > Even if you set up a "web based" mechanism, you'll still have to go around to every client and install that certificate into their trusted root or trust anchor store. If you don't have to do any specific action to do this on any of your platforms, I would look at them somewhat suspiciously, because that means that any certificate presented with an AIA field that is followed will be trusted. > Your help is GREATLY appreciated - and thanks a lot in advance. > Hope that helps. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
