Steve,
Many thanks for your informed (as usual!) reply. Indeed we
are using Xenroll.
Since we store the Client CertReqs, we just thought it would
be neat to be able to re-issue the client certs on the spot in
case we needed to replace the root CA cert.
As I said, this stuff works with NS Communicator, and it
seems a nuisance that it doesn´t with MSIE. As we figure,
most CA´s would find the functionality we are trying to
implement extremely useful when replacing a root CA cert
in case of emergency or otherwise.
Kind regards,
Andrew.
----- Original Message -----
From: Dr Stephen Henson <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 22, 1999 10:43 PM
Subject: Re: Changing Root Cert and Re-Issuing Client Certs
> > J. Andrés Hall wrote:
> >
> > We´re looking to change our OpenSSl CA Root Certificate.
> >
> > To minimize disruption, we would like to re-issue our client
> > certs signed with the new root, but use the original client
> > certificate requests.
> >
> > This works fine with Netscape Communicator 4.61 but
> > fails with MSIE 5.
> >
> > This functionality is important form any CA wishing to
> > preserve PKI operation in case the Root CA cert or
> > Subsidiary CA certs need to be replaced, for example
> > in case of CA cert expiration or private key loss or
> > compromise.
>
> Hmmmm tricky. I presume you are using Xenroll?
>
> Well Xenroll matches the certificate you are trying to install with a
> list of dummy certificates corresponding to requests issued. If the
> dummy certificate isn't present then it wont install the certificate.
>
> The snag is that by default if you install a certificate it deletes the
> dummy so you can't install the certificate more than once!
>
> There's an Xenroll property called DeleteRequestCert that governs this
> behaviour.
>
> Hmmm tricky. I can't immediately think of a clean solution however...
>
> I'd guess you could get Xenroll to re-issue a request by asking it to
> use an existing private key, then you could install a new certificate.
>
> If the private key is exportable you could substitute the certificate in
> the PKCS#12 file.
>
> There are other alternatives based on doing some CryptoAPI calls to
> forcibly replace the certificate.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
