OK Hernath, that makes sense. But how do I get OpenCA to accept a new, additional certificate if it does not make it itself ? I tricked it into letting me make a new one (by removing the existing files) but if I generate a new certificate externally and then just put the files where OpenCA keeps them, OpenCA will not notice and won't add them to its database.
David PS : When this is all over, I'll write up the procedure for the FAQ, other people must want this occasionally ! On Wed, 2005-11-16 at 11:40 +0100, Hernath Szabolcs wrote: > Hi, > > On Wed, 16 Nov 2005, David Bannon wrote: > > Is it necessary for the start and end dates to be the same as the > > original ? Means I cannot use the OpenCA gui to create it but thats not > > too much of a problem. > > You certainly don't want to change the start of validity date of your root > certificate, so you have to create it by hand. You may change the end date > if necessary. In any way, the change (even if you only alter the keyUsage > criticality) should be reflected in your new CP/CPS version. > > Szabolcs > > > > > Would make life a lot easier ! > > > > David > > > >> Hi All, > >> > >> On Tue, 15 Nov 2005, silverhairbp wrote: > >> > >>> > >>> > >>> David Bannon wrote: > >>> > >>>> Folks, I would like to ask for some advice here. We have a problem and > >>>> below is our plan to solve it. I'd be very grateful if you could have a > >>>> look at it and let me know if you see anything thats going to bite us > >>>> expectantly. > >>>> > >>>> The problem > >>>> ----------- > >>>> We use OpenCA 0.9.2 and it was setup some 12 months ago using default > >>>> settings. Our CA Certificate was originally issued without the necessary > >>>> parameter of keyUsage being 'critical'. > >>>> > >>>> The solution > >>>> ------------ > >>>> Revoke all 220 certificates, revoke the CA Certificate, issue a new CA > >>>> certificate (using existing key) and issue new certificates to users. > >> I think you should not do that. If the only thing you want to change is > >> technical parameters in your root cert, but otherwise use the same > >> keypair, you essentially maintain the trust based on the the signatures > >> made with your original signing key. In other words, you do not need to > >> revoke anything, instead you simply reissue your root cert with the same > >> DN, serial, keypair and validity dates and changed technical parameters > >> (e.g., fixing the keyUsage, changing the signature algorithm etc). In this > >> way, signatures made with the old or new root certs will validate against > >> either of them. The already issued certificates will not be effected. > >> > >> Besides, there is no point in revoking a self-signed certificate anyway, > >> in case you want to terminate the trust associated with the signatures > >> made with a CA's signing key before the expiration of the root cert > >> (emergency key changeover), you revoke all issued certificates (except the > >> root), publish a last valid CRL, destroy all copies of the CA signing key, > >> and start anew with a fresh PKI. > >> > >> If you only want to terminate the usage of a CA's signing key -without > >> disruption of the trust associated with its signatures- (routine key > >> changeover), you can harmonize various validity dates and CRL issuance > >> frequency such that you can keep your usual operating procedures (issuing > >> CRLs as usual) and let all certs (issued and root) expire. Before that > >> happens, you already start your fresh PKI in parrallel with some useful > >> overlap time. > >> > >> Good Luck, > >> Cheers > >> > >> Szabolcs > >> > >> P.S.: as a sidenote, if the keypair of sub-CA is actually compromised in a > >> multilevel hierarchy (as opposed to having some flags misconfigured), I > >> would definitely *revoke* the sub-CA's root certificate for good, not only > >> suspend it. The keypair is the root of your trust - if it's compromised, > >> your pki (under that sub-CA's level) is over. > >> > >>>> The Plan > >>>> ------------ > >>>> We have established that we can generate a new CA Certificate and OpenCA > >>>> (0.9.2) is quite happy. So this is what we'll do, steps 1 - 3 (below) > >>>> must be done before implementation date. > >>>> > >>>> > >>>> 1) Encourage all end users and RA Operators to lodge new requests for > >>>> new certificates. > >>>> 2) Ordinary users must meet (again) with RA Operators to show photo ID. > >>>> RAO must authorise new applications in normal manner. > >>>> > >>>> 3) CA Operators and CA Manager will phone RAOs to explicitly confirm > >>>> details of their own personal applications, in normal manner. > >>>> > >>>> ------ Implementation Day -------- > >>>> > >>>> 4) On the CA machine, move the existing CA Certificate files > >>>> (from /var/crypto/cacerts) out of the way. Their details will remain in > >>>> the database. Start openCA, make a new request for a self signed > >>>> certificate and then Generate it. (General->Initialization->Request > >>>> Setup, Certificate Setup). > >>>> > >>>> 5) On RA, revoke all user certificates and process to CA. > >>>> > >>>> 6) On RA, revoke the old CA Certificate and process to CA. > >>>> > >>>> 7) Commence issuing the backlog of certificate requests currently > >>>> pending, in the normal manner. > >>>> > >>>> Although we will aim for completing this process in one day, I doubt we > >>>> will be able to do so. > >>>> > >>>> -------------------- > >>>> > >>>> I'll be very grateful for any comments you care to make. > >>>> > >>>> David > >>>> > >>> > >>> Rather than revoking the original CA certificate, have you considerd > >>> suspending it to see if there are any user that have not installed their > >>> new > >>> certificates? It would be easy to roll back the old root cert and convert > >>> that last users, repead the suspend root process until all users are > >>> converted. That way you can motivate slow converters to get new > >>> certificates > >>> while minimizing their down time. > >>> > >>> As a suggestion, when deploying the new hierarchy, manage the validity > >>> period > >>> closely so taht you can migrate to a new root without a lot of hassle. > >>> There > >>> are papers on the technique available. > >>> > >>> Bill > >>> > >>> > >>> > >>> > >>> > >>> ------------------------------------------------------- > >>> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >>> Register for a JBoss Training Course. Free Certification Exam > >>> for All Training Attendees Through End of 2005. For more info visit: > >>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >>> _______________________________________________ > >>> Openca-Users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/openca-users > >>> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >> Register for a JBoss Training Course. Free Certification Exam > >> for All Training Attendees Through End of 2005. For more info visit: > >> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >> _______________________________________________ > >> Openca-Users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > > Register for a JBoss Training Course. Free Certification Exam > > for All Training Attendees Through End of 2005. For more info visit: > > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
