Hi,
Now I am working on CA update. I read
rfc2459,rfc2510 and I have many questions:
1.What's the difference between key pair update
and CA update? Key pair update only update key,
CA update can update other fields?
2.I implement CA update as follows:
A.generate a new key pair;
A.generate NewWithNew certificate:
1)generate a new certificate,fill fields such as
issuer name,validity and so on;
2)fill new public key;
3)using new private key to sign this certificate;
B.generate NewWithOld certificate:
1)generate a new certificate,fill fields such as
issuer name,validity and so on;
2)fill new public key;
3)using current CA's private key to sign this certificate;
C.generate OldWithNew certificate:
1)using new private key to sign current CA's certificate
Does I implement it correctly?
Now I have 4 certificate:current CA's certificate,
NewWithNew certificate, NewWithOld certificate,
OldWithNew certificate. How do users know to use
which certificate to verify their certificates?
For example,I generate a user certificate(sign with old private key)
with current CA. Then I update CA,
get old public key from OldWithNew certificate to verify the user certificate and
failed. Why?
3.Do I need to publish NewWithNew,OldWithNew,
NewWithOld certificates to LDAP? If I do,what's the DN name
of entries which contain these certificate?
Thank you!
----------------------------------------------
��ӭʹ�� 21CN �����ʼ�ϵͳhttp://www.21cn.com
Thank you for using 21CN Email system
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
