Thanks Bill, my plan was to revoke the user certs and then the CA cert before issuing any certs. Think I need to do that to ensure that the new CA Cert is being used to stamp any new certificates issued. From what we found, there was no way to determine which CA Cert is being used if there are two active.
And if we revoke the CA Cert, really should revoke all the user certs first. But maybe suspending the CA Cert would achieve the same ends. Do you know if its possible (and tidy) to suspend the CA Cert without first revoking the end user certs ? David On Tue, 2005-11-15 at 22:18 -0600, silverhairbp wrote: > > Rather than revoking the original CA certificate, have you considerd > suspending it to see if there are any user that have not installed their > new certificates? It would be easy to roll back the old root cert and > convert that last users, repead the suspend root process until all users > are converted. That way you can motivate slow converters to get new > certificates while minimizing their down time. > > As a suggestion, when deploying the new hierarchy, manage the validity > period closely so taht you can migrate to a new root without a lot of > hassle. There are papers on the technique available. > > Bill > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
