Re: [Openca-Users] CA root certificate renewal

[silverhairbp]

Alexei Chetroi wrote: On Wed, Feb 25, 2004 at 09:28:56AM +0000, Nuno Miguel Neves wrote: Date: Wed, 25 Feb 2004 09:28:56 +0000 From: Nuno Miguel Neves <[EMAIL PROTECTED]> Subject: [Openca-Users] CA root certificate renewal When the root CA certificate expires, how is the PKI maintained? Is it necessary to recreate ALL certificates? If that is the case, it is preferable to issue the root CA with a long life( 30 years), right? This has to be thought of in the first place, for defining the root CA lifetime. Hi, I have very similar question. For example we are acting as a sub-CA. Root CA certificates our public key for a period of 3 years. We certificate client's public keys for maximum of 1 year. So, it results, that after two years, we have to create another private/public keypair and certify them by Root-CA (otherway if we'd use old cert to sign client's key after two years, client's cert lifetime would exceed CA cert lifetime). So my question is: How this situation is handled? Should we use two certs or one CA certificate is used, which contains two public keys: one, very first generated key, and another, which was generated after two years. Links, and other info documents are very much appreciated Thank you -- Alexei Chetroi Greetings, There is extensive discussion on certificate life, root renewal and hierarchy life management within a complex PKI hierarchy in the original SET (Secure Electronic Transactions) documentation.  If you can find it.  I don't know of any other documentation describing this. If not, the appropriate method for a sub with a three-year validity period that issues one-year end entity certs is to renew the sub CA cert every two years.  Best practice is to generate new keys for every new generation certificate.  DO NOT sign end entity certs during the last year of validity of the sub as the life will be limited by the expiration of the sub CA certificate.  In several applications, the private key use period is used in roots and subs to limit use during the last year (latency period), but this might present problems if its needed for CRL signings. If all validation chaining is to the root, then any end entity certificate issued under that root will authenticate regardless of the sub CA used to issue them.  At least as long as the sub CA is not on a CRL.  End entity certificates should all expire before the sub CA expires anyway so that shouldn't be a problem. You may contact me off line if there are specific questions Bill