Hi, that is really the first time I hear a limitation on the public key inside CA's certificates.
Usually some applications do not work well trying to use longer key sizes (eg., crypto export issues, etc.) but usually they are able to correctly parse and verify certificates no matter what the key sizes in them. Are those ad-hoc apps or are them publicly available ? If so, can you tell me which ones are them (so I will always avoid to use them!) ? Back to your problem, if it is related to the End Entity (application/ user) certificate, than just allow only smaller sizes keysizes when issuing certificates. If, instead, the problem is with the keysize of the CA's key than you will have to re-generate the key and self-sign the certificate again. The option of rolling over with a sub-ca is not an option as the certificate chain will always chain back to your original 4096bit CA. You can still use the database from the old CA and use that for an automated roll-over of the issued certificates (early renewal), but that would require some coding - especially with the old 0.9.2 version... Probably this is not the answer you wanted.. :( I would suggest you to double check that the app issue is with the verification of the certs chain and not only with the size of the key they are using.. besides that, I do not have another suggestion right now... Let us know if/how you solve your issue.. it might be useful to others. Later, Max P.S.: If you have control over the code in your apps, you might decide to change the approach and fix the errors in those applications instead of re-issuing all the certificates. On 10/6/09 6:10 AM, Yildirim Zaynal wrote:
Dear all, Current situation; OpenCA version 0.9.2.5 CA: using private key of 4096 bits.. Issue: Some applications doesnt support 4096 bit keylenghts => want to sign certificates with 2048 bit CA key. Question: I dont want to install another openCA server, and i want to use the same database for the certificates so that everything is more clean an consistent. Is it possible to change the CA ( the public key & private key ) without any problems? Or is it possible to have 2 private keys and choose which one to sign with using openCA? Any comments/ideas are welcome.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] ope...@acm.org
project.mana...@openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
