On Wed, 16 Nov 2005, David Bannon wrote:
OpenCA keeps details of the certificates it knows about in a database.
For example, if you get it to self sign and generate a CA certificate,
it puts that certificate into a directory (cannot remember where, I'm at
home at present). But it also keeps the info about the cert in its
database. So if you remove the cert files, details of the cert still
appear in the gui.
Well first of all I have to admit that:
1. I can make whatever file I want to be the CA root certificate served to
my clients on the public interface, and
2. I do not quite care what OpenCA displays in the gui,
as the main distribution channel in my case is a well-controlled set of
packages containing the CA root certificates used by the clients in the
authentication fabric. As I said, you need a working, safe root
distribution system anyway to replace previous versions.
As an experiment, I make a clone of our CA machine.
When I tried to generate an additional CA Cert it refused because these
files where already in the directory. So I removed them and was allowed
to create the additional CA Cert. Now the GUI tells me that there are
two CA Certs, both are listed and both can have thier details displayed.
But only the second one physically exists in that directory.
I don't think you need this. Just create the appropriate new version of
tha CA cert, stop OpenCA, copy over all instances of the root cert and
restart.
Now, OpenCA knows about that second cert because it generated it, if I
generate it by hand (or more correctly, by openssl) I don't see how to
get OpenCA to read it into its database. I don't like the idea of
directly writing into the database tables, that would be too scary !
Then you don't get in this trouble in the first place.
If its not in the database, I don't expect it will use the cert to sign
other certificates, it won't get transfered back to the RA machine, it
won't even appear on the GUI menus.
Well, just expect it to use the new version to sign other certificates,
and get transferred back to the RA machine - but forgive me for the gui
menus, I do not look at them.
Szabolcs
David
On Wed, 2005-11-16 at 12:28 +0100, Hernath Szabolcs wrote:
On Wed, 16 Nov 2005, David Bannon wrote:
OK Hernath, that makes sense. But how do I get OpenCA to accept a new,
additional certificate if it does not make it itself ? I tricked it
How do you mean accept?
into letting me make a new one (by removing the existing files) but if I
Sorry, I don't get it...
generate a new certificate externally and then just put the files where
OpenCA keeps them, OpenCA will not notice and won't add them to its
I don't have access to my signing machine right now, but I think you
should simply overwrite all instances of the CA root cert within opencas
directory tree with the new version.
Szabolcs
database.
David
PS : When this is all over, I'll write up the procedure for the FAQ,
other people must want this occasionally !
On Wed, 2005-11-16 at 11:40 +0100, Hernath Szabolcs wrote:
Hi,
On Wed, 16 Nov 2005, David Bannon wrote:
Is it necessary for the start and end dates to be the same as the
original ? Means I cannot use the OpenCA gui to create it but thats not
too much of a problem.
You certainly don't want to change the start of validity date of your root
certificate, so you have to create it by hand. You may change the end date
if necessary. In any way, the change (even if you only alter the keyUsage
criticality) should be reflected in your new CP/CPS version.
Szabolcs
Would make life a lot easier !
David
Hi All,
On Tue, 15 Nov 2005, silverhairbp wrote:
David Bannon wrote:
Folks, I would like to ask for some advice here. We have a problem and
below is our plan to solve it. I'd be very grateful if you could have a
look at it and let me know if you see anything thats going to bite us
expectantly.
The problem
-----------
We use OpenCA 0.9.2 and it was setup some 12 months ago using default
settings. Our CA Certificate was originally issued without the necessary
parameter of keyUsage being 'critical'.
The solution
------------
Revoke all 220 certificates, revoke the CA Certificate, issue a new CA
certificate (using existing key) and issue new certificates to users.
I think you should not do that. If the only thing you want to change is
technical parameters in your root cert, but otherwise use the same
keypair, you essentially maintain the trust based on the the signatures
made with your original signing key. In other words, you do not need to
revoke anything, instead you simply reissue your root cert with the same
DN, serial, keypair and validity dates and changed technical parameters
(e.g., fixing the keyUsage, changing the signature algorithm etc). In this
way, signatures made with the old or new root certs will validate against
either of them. The already issued certificates will not be effected.
Besides, there is no point in revoking a self-signed certificate anyway,
in case you want to terminate the trust associated with the signatures
made with a CA's signing key before the expiration of the root cert
(emergency key changeover), you revoke all issued certificates (except the
root), publish a last valid CRL, destroy all copies of the CA signing key,
and start anew with a fresh PKI.
If you only want to terminate the usage of a CA's signing key -without
disruption of the trust associated with its signatures- (routine key
changeover), you can harmonize various validity dates and CRL issuance
frequency such that you can keep your usual operating procedures (issuing
CRLs as usual) and let all certs (issued and root) expire. Before that
happens, you already start your fresh PKI in parrallel with some useful
overlap time.
Good Luck,
Cheers
Szabolcs
P.S.: as a sidenote, if the keypair of sub-CA is actually compromised in a
multilevel hierarchy (as opposed to having some flags misconfigured), I
would definitely *revoke* the sub-CA's root certificate for good, not only
suspend it. The keypair is the root of your trust - if it's compromised,
your pki (under that sub-CA's level) is over.
The Plan
------------
We have established that we can generate a new CA Certificate and OpenCA
(0.9.2) is quite happy. So this is what we'll do, steps 1 - 3 (below)
must be done before implementation date.
1) Encourage all end users and RA Operators to lodge new requests for
new certificates.
2) Ordinary users must meet (again) with RA Operators to show photo ID.
RAO must authorise new applications in normal manner.
3) CA Operators and CA Manager will phone RAOs to explicitly confirm
details of their own personal applications, in normal manner.
------ Implementation Day --------
4) On the CA machine, move the existing CA Certificate files
(from /var/crypto/cacerts) out of the way. Their details will remain in
the database. Start openCA, make a new request for a self signed
certificate and then Generate it. (General->Initialization->Request
Setup, Certificate Setup).
5) On RA, revoke all user certificates and process to CA.
6) On RA, revoke the old CA Certificate and process to CA.
7) Commence issuing the backlog of certificate requests currently
pending, in the normal manner.
Although we will aim for completing this process in one day, I doubt we
will be able to do so.
--------------------
I'll be very grateful for any comments you care to make.
David
Rather than revoking the original CA certificate, have you considerd
suspending it to see if there are any user that have not installed their new
certificates? It would be easy to roll back the old root cert and convert
that last users, repead the suspend root process until all users are
converted. That way you can motivate slow converters to get new certificates
while minimizing their down time.
As a suggestion, when deploying the new hierarchy, manage the validity period
closely so taht you can migrate to a new root without a lot of hassle. There
are papers on the technique available.
Bill
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
