On Wed, 2005-11-16 at 11:04 +0100, Hernath Szabolcs wrote: Thanks Hernath, thats a very interesting idea.
Is it necessary for the start and end dates to be the same as the original ? Means I cannot use the OpenCA gui to create it but thats not too much of a problem. Would make life a lot easier ! David > Hi All, > > On Tue, 15 Nov 2005, silverhairbp wrote: > > > > > > > David Bannon wrote: > > > >> Folks, I would like to ask for some advice here. We have a problem and > >> below is our plan to solve it. I'd be very grateful if you could have a > >> look at it and let me know if you see anything thats going to bite us > >> expectantly. > >> > >> The problem > >> ----------- > >> We use OpenCA 0.9.2 and it was setup some 12 months ago using default > >> settings. Our CA Certificate was originally issued without the necessary > >> parameter of keyUsage being 'critical'. > >> > >> The solution > >> ------------ > >> Revoke all 220 certificates, revoke the CA Certificate, issue a new CA > >> certificate (using existing key) and issue new certificates to users. > I think you should not do that. If the only thing you want to change is > technical parameters in your root cert, but otherwise use the same > keypair, you essentially maintain the trust based on the the signatures > made with your original signing key. In other words, you do not need to > revoke anything, instead you simply reissue your root cert with the same > DN, serial, keypair and validity dates and changed technical parameters > (e.g., fixing the keyUsage, changing the signature algorithm etc). In this > way, signatures made with the old or new root certs will validate against > either of them. The already issued certificates will not be effected. > > Besides, there is no point in revoking a self-signed certificate anyway, > in case you want to terminate the trust associated with the signatures > made with a CA's signing key before the expiration of the root cert > (emergency key changeover), you revoke all issued certificates (except the > root), publish a last valid CRL, destroy all copies of the CA signing key, > and start anew with a fresh PKI. > > If you only want to terminate the usage of a CA's signing key -without > disruption of the trust associated with its signatures- (routine key > changeover), you can harmonize various validity dates and CRL issuance > frequency such that you can keep your usual operating procedures (issuing > CRLs as usual) and let all certs (issued and root) expire. Before that > happens, you already start your fresh PKI in parrallel with some useful > overlap time. > > Good Luck, > Cheers > > Szabolcs > > P.S.: as a sidenote, if the keypair of sub-CA is actually compromised in a > multilevel hierarchy (as opposed to having some flags misconfigured), I > would definitely *revoke* the sub-CA's root certificate for good, not only > suspend it. The keypair is the root of your trust - if it's compromised, > your pki (under that sub-CA's level) is over. > > >> The Plan > >> ------------ > >> We have established that we can generate a new CA Certificate and OpenCA > >> (0.9.2) is quite happy. So this is what we'll do, steps 1 - 3 (below) > >> must be done before implementation date. > >> > >> > >> 1) Encourage all end users and RA Operators to lodge new requests for > >> new certificates. > >> 2) Ordinary users must meet (again) with RA Operators to show photo ID. > >> RAO must authorise new applications in normal manner. > >> > >> 3) CA Operators and CA Manager will phone RAOs to explicitly confirm > >> details of their own personal applications, in normal manner. > >> > >> ------ Implementation Day -------- > >> > >> 4) On the CA machine, move the existing CA Certificate files > >> (from /var/crypto/cacerts) out of the way. Their details will remain in > >> the database. Start openCA, make a new request for a self signed > >> certificate and then Generate it. (General->Initialization->Request > >> Setup, Certificate Setup). > >> > >> 5) On RA, revoke all user certificates and process to CA. > >> > >> 6) On RA, revoke the old CA Certificate and process to CA. > >> > >> 7) Commence issuing the backlog of certificate requests currently > >> pending, in the normal manner. > >> > >> Although we will aim for completing this process in one day, I doubt we > >> will be able to do so. > >> > >> -------------------- > >> > >> I'll be very grateful for any comments you care to make. > >> > >> David > >> > > > > Rather than revoking the original CA certificate, have you considerd > > suspending it to see if there are any user that have not installed their > > new > > certificates? It would be easy to roll back the old root cert and convert > > that last users, repead the suspend root process until all users are > > converted. That way you can motivate slow converters to get new > > certificates > > while minimizing their down time. > > > > As a suggestion, when deploying the new hierarchy, manage the validity > > period > > closely so taht you can migrate to a new root without a lot of hassle. > > There > > are papers on the technique available. > > > > Bill > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > > Register for a JBoss Training Course. Free Certification Exam > > for All Training Attendees Through End of 2005. For more info visit: > > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
