OpenCA keeps details of the certificates it knows about in a database. For example, if you get it to self sign and generate a CA certificate, it puts that certificate into a directory (cannot remember where, I'm at home at present). But it also keeps the info about the cert in its database. So if you remove the cert files, details of the cert still appear in the gui.
As an experiment, I make a clone of our CA machine. When I tried to generate an additional CA Cert it refused because these files where already in the directory. So I removed them and was allowed to create the additional CA Cert. Now the GUI tells me that there are two CA Certs, both are listed and both can have thier details displayed. But only the second one physically exists in that directory. Now, OpenCA knows about that second cert because it generated it, if I generate it by hand (or more correctly, by openssl) I don't see how to get OpenCA to read it into its database. I don't like the idea of directly writing into the database tables, that would be too scary ! If its not in the database, I don't expect it will use the cert to sign other certificates, it won't get transfered back to the RA machine, it won't even appear on the GUI menus. David On Wed, 2005-11-16 at 12:28 +0100, Hernath Szabolcs wrote: > > On Wed, 16 Nov 2005, David Bannon wrote: > > > > > OK Hernath, that makes sense. But how do I get OpenCA to accept a new, > > additional certificate if it does not make it itself ? I tricked it > How do you mean accept? > > > into letting me make a new one (by removing the existing files) but if I > Sorry, I don't get it... > > > generate a new certificate externally and then just put the files where > > OpenCA keeps them, OpenCA will not notice and won't add them to its > I don't have access to my signing machine right now, but I think you > should simply overwrite all instances of the CA root cert within opencas > directory tree with the new version. > > Szabolcs > > > > database. > > > > David > > > > PS : When this is all over, I'll write up the procedure for the FAQ, > > other people must want this occasionally ! > > > > > > On Wed, 2005-11-16 at 11:40 +0100, Hernath Szabolcs wrote: > >> Hi, > >> > >> On Wed, 16 Nov 2005, David Bannon wrote: > >>> Is it necessary for the start and end dates to be the same as the > >>> original ? Means I cannot use the OpenCA gui to create it but thats not > >>> too much of a problem. > >> > >> You certainly don't want to change the start of validity date of your root > >> certificate, so you have to create it by hand. You may change the end date > >> if necessary. In any way, the change (even if you only alter the keyUsage > >> criticality) should be reflected in your new CP/CPS version. > >> > >> Szabolcs > >> > >>> > >>> Would make life a lot easier ! > >>> > >>> David > >>> > >>>> Hi All, > >>>> > >>>> On Tue, 15 Nov 2005, silverhairbp wrote: > >>>> > >>>>> > >>>>> > >>>>> David Bannon wrote: > >>>>> > >>>>>> Folks, I would like to ask for some advice here. We have a problem and > >>>>>> below is our plan to solve it. I'd be very grateful if you could have a > >>>>>> look at it and let me know if you see anything thats going to bite us > >>>>>> expectantly. > >>>>>> > >>>>>> The problem > >>>>>> ----------- > >>>>>> We use OpenCA 0.9.2 and it was setup some 12 months ago using default > >>>>>> settings. Our CA Certificate was originally issued without the > >>>>>> necessary > >>>>>> parameter of keyUsage being 'critical'. > >>>>>> > >>>>>> The solution > >>>>>> ------------ > >>>>>> Revoke all 220 certificates, revoke the CA Certificate, issue a new CA > >>>>>> certificate (using existing key) and issue new certificates to users. > >>>> I think you should not do that. If the only thing you want to change is > >>>> technical parameters in your root cert, but otherwise use the same > >>>> keypair, you essentially maintain the trust based on the the signatures > >>>> made with your original signing key. In other words, you do not need to > >>>> revoke anything, instead you simply reissue your root cert with the same > >>>> DN, serial, keypair and validity dates and changed technical parameters > >>>> (e.g., fixing the keyUsage, changing the signature algorithm etc). In > >>>> this > >>>> way, signatures made with the old or new root certs will validate against > >>>> either of them. The already issued certificates will not be effected. > >>>> > >>>> Besides, there is no point in revoking a self-signed certificate anyway, > >>>> in case you want to terminate the trust associated with the signatures > >>>> made with a CA's signing key before the expiration of the root cert > >>>> (emergency key changeover), you revoke all issued certificates (except > >>>> the > >>>> root), publish a last valid CRL, destroy all copies of the CA signing > >>>> key, > >>>> and start anew with a fresh PKI. > >>>> > >>>> If you only want to terminate the usage of a CA's signing key -without > >>>> disruption of the trust associated with its signatures- (routine key > >>>> changeover), you can harmonize various validity dates and CRL issuance > >>>> frequency such that you can keep your usual operating procedures (issuing > >>>> CRLs as usual) and let all certs (issued and root) expire. Before that > >>>> happens, you already start your fresh PKI in parrallel with some useful > >>>> overlap time. > >>>> > >>>> Good Luck, > >>>> Cheers > >>>> > >>>> Szabolcs > >>>> > >>>> P.S.: as a sidenote, if the keypair of sub-CA is actually compromised in > >>>> a > >>>> multilevel hierarchy (as opposed to having some flags misconfigured), I > >>>> would definitely *revoke* the sub-CA's root certificate for good, not > >>>> only > >>>> suspend it. The keypair is the root of your trust - if it's compromised, > >>>> your pki (under that sub-CA's level) is over. > >>>> > >>>>>> The Plan > >>>>>> ------------ > >>>>>> We have established that we can generate a new CA Certificate and > >>>>>> OpenCA > >>>>>> (0.9.2) is quite happy. So this is what we'll do, steps 1 - 3 (below) > >>>>>> must be done before implementation date. > >>>>>> > >>>>>> > >>>>>> 1) Encourage all end users and RA Operators to lodge new requests for > >>>>>> new certificates. > >>>>>> 2) Ordinary users must meet (again) with RA Operators to show photo ID. > >>>>>> RAO must authorise new applications in normal manner. > >>>>>> > >>>>>> 3) CA Operators and CA Manager will phone RAOs to explicitly confirm > >>>>>> details of their own personal applications, in normal manner. > >>>>>> > >>>>>> ------ Implementation Day -------- > >>>>>> > >>>>>> 4) On the CA machine, move the existing CA Certificate files > >>>>>> (from /var/crypto/cacerts) out of the way. Their details will remain in > >>>>>> the database. Start openCA, make a new request for a self signed > >>>>>> certificate and then Generate it. (General->Initialization->Request > >>>>>> Setup, Certificate Setup). > >>>>>> > >>>>>> 5) On RA, revoke all user certificates and process to CA. > >>>>>> > >>>>>> 6) On RA, revoke the old CA Certificate and process to CA. > >>>>>> > >>>>>> 7) Commence issuing the backlog of certificate requests currently > >>>>>> pending, in the normal manner. > >>>>>> > >>>>>> Although we will aim for completing this process in one day, I doubt we > >>>>>> will be able to do so. > >>>>>> > >>>>>> -------------------- > >>>>>> > >>>>>> I'll be very grateful for any comments you care to make. > >>>>>> > >>>>>> David > >>>>>> > >>>>> > >>>>> Rather than revoking the original CA certificate, have you considerd > >>>>> suspending it to see if there are any user that have not installed > >>>>> their new > >>>>> certificates? It would be easy to roll back the old root cert and > >>>>> convert > >>>>> that last users, repead the suspend root process until all users are > >>>>> converted. That way you can motivate slow converters to get new > >>>>> certificates > >>>>> while minimizing their down time. > >>>>> > >>>>> As a suggestion, when deploying the new hierarchy, manage the validity > >>>>> period > >>>>> closely so taht you can migrate to a new root without a lot of hassle. > >>>>> There > >>>>> are papers on the technique available. > >>>>> > >>>>> Bill > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------- > >>>>> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >>>>> Register for a JBoss Training Course. Free Certification Exam > >>>>> for All Training Attendees Through End of 2005. For more info visit: > >>>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >>>>> _______________________________________________ > >>>>> Openca-Users mailing list > >>>>> [email protected] > >>>>> https://lists.sourceforge.net/lists/listinfo/openca-users > >>>>> > >>>> > >>>> > >>>> ------------------------------------------------------- > >>>> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >>>> Register for a JBoss Training Course. Free Certification Exam > >>>> for All Training Attendees Through End of 2005. For more info visit: > >>>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >>>> _______________________________________________ > >>>> Openca-Users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/openca-users > >>> > >>> > >>> > >>> ------------------------------------------------------- > >>> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >>> Register for a JBoss Training Course. Free Certification Exam > >>> for All Training Attendees Through End of 2005. For more info visit: > >>> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >>> _______________________________________________ > >>> Openca-Users mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/openca-users > >>> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > >> Register for a JBoss Training Course. Free Certification Exam > >> for All Training Attendees Through End of 2005. For more info visit: > >> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > >> _______________________________________________ > >> Openca-Users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > > Register for a JBoss Training Course. Free Certification Exam > > for All Training Attendees Through End of 2005. For more info visit: > > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
