Nuno Miguel Neves wrote:
Hi.
When the root CA certificate expires, how is the PKI maintained? Is it necessary to recreate ALL certificates?
If that is the case, it is preferable to issue the root CA with a long life( 30 years), right?
This has to be thought of in the first place, for defining the root CA lifetime.
Thanks,
In short, yes.
The root is the source of trust. When it expires, the trust hierarchy goes with it. Most digital signature laws are pretty specific about this.
There is a method I co-invented to forward chain roots (for a specific application), but its cumbersome and requires creating the next generation root key pair at the time of the self signing the current generation of root CA. This is OK when the roots are renewed annually, but not very efficient for other purposes. For practical purposes, when a root expires, that's it. There is no real method of acceptable forward chaining of a trust hierarchy that I know of.
The proposed method of handling such a situation is to create a root and hierarchy with a reasonable life, say 5 to 7 years. If end entity certificates are issued for 2 years, then a new root is created and usage of the new hierarchy begins two years before the expiration of the first generation of root. In this example, new roots and key pairs would be created every 3 to 5 years, the old roots allowed to expire, the new roots are used as parallel trust hierarchies.
Please don't consider creating a hierarchy with a root CA validity period of 30 years. In some applications, 10 years is a long stretch. For private applications, depending on the conditions of end entity use, business relationships and the risk being addressed by the use of a PKI, 5 to 7 year root CA validity periods are usually preferred.
Contact me off list if there are specifics you want to address.
Bill
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
