A self signed CA is a root CA, so you cannot revoke it like a normal certificate. In theory, to revoke a root CA (you do this only for a CA key compromise or CA dismissing) you must first of all revoke all issued certificates, issue a new CRL, destroy the CA key pair, inform all the certificate holders of the event and inform them to put the CA certificate in the Untrusted Root Certification Authority of their certificate store.
However, you DON'T need to make this mess, because you only want to renew the CA certificate using the preexisting key pair, so you don't need to revoke anything. All the new and old issued certificates will be verified against this new CA certificate because its public key is always the same. However, some software can have problems because the DN change (if you note, on Windows, in the trust chain, a certificate is related to the CA through the DN found in the Issuer field of the certificate, however it informs you that there is a problem if the sign doesn't match). If you want to change the key pair instead, you must do a simple procedure: 1. Generate the new key pair 2. Create a PKCS10 signed with the old key pair (OldP10) 3. Create a PKCS10 signed with the new key pair (NewP10) 4. Issue the certificate for NewP10 by signing it with the old key pair (it will be named NewWithOld) and save it in safe place 5. Save in safe place the old CA certificate (OldWithOld) 6. Issue the new CA certificate selfsigning NewP10 (NewWithNew) 7. Issue the certificate for OldP10 by signing it with the new key pair( it will be named OldWithNew) and save it in a safe place All these procedures are not assisted in OpenCA, but it is very simple to perform then using the background OpenSSL environment used by OpenCA itself :-) P.S.: Correct me if something is not clear or incorrect. On 12/8/06, Francois Pernet <[EMAIL PROTECTED]> wrote: > Hi > > We will be obliged to regenerate the CA certificate (self signed) because we > need to change the DN of the CA . We won't change the secret key but only the > cert. We will revoke actual CA and then create a new CA cert. > > Is there any chance that we won't be obliged to recreate each certificate ? > Already published certificates will be able to be verified against this new > CA Cert ? > Is there any issue when doing such operation ? > > Thx > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > -- Diego ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
