Re: Moving openssl servers

Thu, 17 Feb 2005 01:38:06 -0800 

Adrian Chow wrote:

Hi,

I got a question regarding migrating servers.  I have a root CA running 
openssl.  And I want to move it to another server.  The current root CA have 
already create and signed a lot of certificates.  My concern is the procedure 
to take so that when the new server is up and installed with openssl, all the 
certificates will still work per normal and new certificates generated from the 
new root CA server should be working as well.

What files should I copy over from the root CA to the new root CA to ensure consistency for future creation and signing of certs?


This depends on your configuration... ;)

If you're using CRL distribution points you'll have to make sure that the adress(es) in your already generated certificates are still reachable. If there are other URLs in your config (nsCaRevocationUrl, what else?) the same naturally applies.

Otherwise openssl.conf, your serial file and of course the CA's keys and certificates (directory private in default config) are essential. And usually you'll also want to take your index file and the already generated certificates (directory newcerts and certs) with you. At last you should take a look in your config file and take with you every other file and directory mentioned in there, just to be sure.

The other question:- If I upgrade the version of the openssl from 0.95 to 0.97e, will the old certs be valid? On a redhat machine, can I just use rpm -Uvh to upgrade it?


Oops, 0.9.5 indeed is a bit older then the things I'm used to...
I'd guess that you'll have to update the config file manually. Or at least check if everything is still valid, maybe compare a default config for the current version with your own config file.
The old certs should stay valid (after all your clients won't know that you upgraded till they request their next cert) and I don't think that you'll have problems in running your CA. I'd expect more trouble with other applications linked against the old version, like openssh. But I have no experience in this so I can just quote the theory... ;)

Thanks a lot.

adrian


Hope it helps,
Ted
;)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to