Hello, I have been using OpenCA 0.8.1 for our grid CA software,
and am now looking at porting to 0.9.2
What is badly needed a semi-automatic renewal mechanism, where:
(a) the subject is told somehow, near expiry time, that
they may renew.
This is actually implemented as warnExpiring
--> node interface --> utilities --> warn expiring certs
(b) the subject connects to the public server, and a new
cert request is created with the same DN, plus a new
private key is generated.
[note that (a) & (b) might involve challenge/response
(c) the old cert is revoked and a new cert is issued
I am having difficulty establishing exactly what support
is there in OpenCA that could be used for such a renewal
mechanism.
Could you suggest what you consider the best way to do this ?
First some questions:
1. It looks like you need no userinteraction until you roll out the certificate. Is this correct?
2. Why do you want to revoke the old certificate? This results in big CRLs if you have many customers - and grids should be really big.
3. If the process is nearly full-automatic why do you want to warn the users before expiring?
If I would have to implement such a renewal process I would think about using and customizing the batchprocessors. Perhaps the processors are not exactly what you need but it should be possible to adapt them to your needs.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
