On Fri, Feb 07, 2003 at 08:24:40PM -0600, [EMAIL PROTECTED] wrote:
> Lutz Jaenicke wrote:
>
> > Hi!
> >
> > I am using OpenCA 0.9.1 (RC something). The first certificates created
> > with OpenCA (an older version) are going to expire soon. How do I handle
> > certificate renewal? If I supply a new request for the same key, OpenCA
> > does not allow generation of a new certificate...
>
> Work in the past has indicated that its not good practice to "re-use" a key
> in a certificate renewal.
>
> It is more appropriate to generate a new key pair, CRS and certificate.
While from the security point of view your point is correct, it does make
a difference with respect to convenience.
Using a different private key means, that I have to collect all of these
keys over the years in order to decrypt all old emails. This is not a
very comfortable way of handling encryption.
In any case it does not solve the expiry problem. I am running an in-house
CA. My co-workers' certificates will run out and I simply would like to
be able to re-new them several days in advance and push the new certificates
to them. Of course, the certificates will be issued on the same DN, because
neither the name of the co-worker nor that of the company etc did change...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
