On Wed, Feb 25, 2004 at 09:28:56AM +0000, Nuno Miguel Neves wrote: > Date: Wed, 25 Feb 2004 09:28:56 +0000 > From: Nuno Miguel Neves <[EMAIL PROTECTED]> > Subject: [Openca-Users] CA root certificate renewal > > When the root CA certificate expires, how is the PKI maintained? Is it > necessary to recreate ALL certificates? > If that is the case, it is preferable to issue the root CA with a long > life( 30 years), right? > > This has to be thought of in the first place, for defining the root CA > lifetime.
Hi, I have very similar question. For example we are acting as a sub-CA. Root CA certificates our public key for a period of 3 years. We certificate client's public keys for maximum of 1 year. So, it results, that after two years, we have to create another private/public keypair and certify them by Root-CA (otherway if we'd use old cert to sign client's key after two years, client's cert lifetime would exceed CA cert lifetime). So my question is: How this situation is handled? Should we use two certs or one CA certificate is used, which contains two public keys: one, very first generated key, and another, which was generated after two years. Links, and other info documents are very much appreciated Thank you -- Alexei Chetroi ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
