Folks, I would like to ask for some advice here. We have a problem and below is our plan to solve it. I'd be very grateful if you could have a look at it and let me know if you see anything thats going to bite us expectantly.
The problem ----------- We use OpenCA 0.9.2 and it was setup some 12 months ago using default settings. Our CA Certificate was originally issued without the necessary parameter of keyUsage being 'critical'. The solution ------------ Revoke all 220 certificates, revoke the CA Certificate, issue a new CA certificate (using existing key) and issue new certificates to users. The Plan ------------ We have established that we can generate a new CA Certificate and OpenCA (0.9.2) is quite happy. So this is what we'll do, steps 1 - 3 (below) must be done before implementation date. 1) Encourage all end users and RA Operators to lodge new requests for new certificates. 2) Ordinary users must meet (again) with RA Operators to show photo ID. RAO must authorise new applications in normal manner. 3) CA Operators and CA Manager will phone RAOs to explicitly confirm details of their own personal applications, in normal manner. ------ Implementation Day -------- 4) On the CA machine, move the existing CA Certificate files (from /var/crypto/cacerts) out of the way. Their details will remain in the database. Start openCA, make a new request for a self signed certificate and then Generate it. (General->Initialization->Request Setup, Certificate Setup). 5) On RA, revoke all user certificates and process to CA. 6) On RA, revoke the old CA Certificate and process to CA. 7) Commence issuing the backlog of certificate requests currently pending, in the normal manner. Although we will aim for completing this process in one day, I doubt we will be able to do so. -------------------- I'll be very grateful for any comments you care to make. David -- ------------------------------------------- David Bannon [EMAIL PROTECTED] VPAC Systems Manager www.vpac.org P: 61 3 9925 4733 M: 0418 525687 ------------------------------------------- Humpty Dumpty was pushed ! ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
