Ho there,
from the technical perspective (which is the thing this list is
concerned with) a "renewed" certificate is a new certificate for the
same keys as the old one. No step of the three you list as necessary is
necessary from the openssl point of view, but may be required by your CA.
The data contained in the "renewed" certificate, beside the public part
of the key, is completely up to the issuing CA and usually laid down in
their policies.
So, you should address your questions to the CA you want to get your
certificates from. If you are implementing your own CA, you have to
decide what you want to do.
Or was your question about best practices when creating a CA policy?
Hope this helps at least a bit,
Ted
;)
Am 21.01.2014 06:51, schrieb Kamalraj Madhurakasan:
Hello guys,
I would like to know whether my understanding about certificate
renewal is correct or not.
To renew the certificate:
1. we need to generate a new CSR from the private key
2. revoke the old certificate
3. get the new CSR signed by the CA with validity extended
The fields that are common between old and new renewed certificate
will be:
1. SKI
2. AKI
3. Issuer
4. Public Key
The fields are not be common are:
1. subject (I see that while generating new CSR we can change the subject)
2. Serial number
3. Other fields
Please share your inputs on this.
Thanks
Kamalraj
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org