Lutz Jaenicke wrote:
OpenCA includes a mechanism to be protected against keycompromising by bad random numbergenerators. If you need a new cert for the same key then please go to the old request (now archived request). There is a renew button.I am using OpenCA 0.9.1 (RC something). The first certificates created with OpenCA (an older version) are going to expire soon. How do I handle certificate renewal? If I supply a new request for the same key, OpenCA does not allow generation of a new certificate...
Please take in mind that the actual OpenSSL ca command is a little bit problematical (or better the database handling is the problem) if you try to issue a certificate with the same DN (I think you now this problem better than I :) ). There are four solutions:
1. Issue a certificate with a different DN. If you include the serialnumber into the DN then there is no problem by default.
2. There is a patch for OpenSSL to deactivate the indexverification of OpenSSL for DNs (-nouniqueDN). This patch was contributed to OpenSSL but the patch was not included to 0.9.7 because it was to late and until today nobody added it to the 0.9.8 tree but it is in the bugtracking system of OpenSSL (#299). I think there are to many problems with the 0.9.7. The patch itself was for 0.9.7 snapshots during the beta phase of 0.9.7.
3. You wait until the certs are expired, renew the requests and then you can issue certs with the same DN.
4. You revoke the old certs, renew the archived requests and then you can issue new certs with the same DN.
I think the following about the options:
- 3 and 4 are obsolete
- 2 is the best way but you have to patch OpenSSL
- 1 is the default way if you can accept another DN for the new certs
I hope one of these options work for you. What do you think about them?
Best regards
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
