and please dont forget to mention to never ever sign a certificate X with the old cas key when X's validity is longer than the old cas keys validity.
Regards Michael (not THE Michael)
Michael Bell wrote:
Pedro Jossi wrote:
Hello to all! I consult them when the CA changes of key. ... It is possible with Openca to generate a new certificate for the CA before expire its old certificate, utilizing a new pair of keys? Leaving the certificate CA old for the firm of CRLs while certificates exist emitted with the old certificate
You perfectly describes a new CA :) If you change the keys and the CA certificate the you have a new CA. Please setup a new OpenCA in this case. We do this too.
You will have two CA in your case. One only issues CRLs and one issues new certificates and CRLs. Please seperate these two systems. Don't mix keys or certificates of different CAs in one system. It is no problem to setup a second CA with OpenCA because OpenCA has not to be licensed :)
Michael
-- accom GmbH & Co. KG Gruener Weg 100 52070 Aachen
Tel: +49 241 918 5228 Fax: +49 241 918 5299
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
