Re: [Openca-Users] Replacing CA Certificate

[silverhairbp]

(I assume that you're using PIRMA SSL (private isolated root mutual authentication SSL) or a similar mechanism.) If a certificate is suspended, it may not be used during its suspension period.  Certificates issued under it will not validate to a root that is suspended since its public key is temporarily invalid.  So I don't think its necessary to revoke all the end user certificates before suspending the root under which they were issued.  Suspending the old root should be a test to determine whether all the users have converted to their new certificates under the new root.  Those that have not will not gain access due to the inability to validate to the suspended root.  They'll be identified when they call to report an interruption in access.  But the difference is that the suspended root can be reactivated to support the errant users until they get their new certificates installed without a lengthy interruption in service. A revoked end-user certificate would not validate under any circumstances if the validating entity would have the current CRL.  HTH. Bill David Bannon wrote: Thanks Bill, my plan was to revoke the user certs and then the CA cert before issuing any certs. Think I need to do that to ensure that the new CA Cert is being used to stamp any new certificates issued. From what we found, there was no way to determine which CA Cert is being used if there are two active. And if we revoke the CA Cert, really should revoke all the user certs first. But maybe suspending the CA Cert would achieve the same ends. Do you know if its possible (and tidy) to suspend the CA Cert without first revoking the end user certs ? David On Tue, 2005-11-15 at 22:18 -0600, silverhairbp wrote: Rather than revoking the original CA certificate, have you considerd suspending it to see if there are any user that have not installed their new certificates? It would be easy to roll back the old root cert and convert that last users, repead the suspend root process until all users are converted. That way you can motivate slow converters to get new certificates while minimizing their down time. As a suggestion, when deploying the new hierarchy, manage the validity period closely so taht you can migrate to a new root without a lot of hassle. There are papers on the technique available. Bill ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users