Hi Greg, Greg Vickers wrote:
> Argh, hit the send button before I had finished *blush* > > Greg Vickers wrote: > >> Hi all, >> >> I am in the process of renewing a root CA certificate (which is >> expiring soon.) I should be able to use the original certificate >> signing request to issue a new certificate for the CA, correct? >> Yes. But even if you don't have the original certificate signing request (CSR), you can generate it from the existing certificate: openssl x509 -x509toreq -in ORIGINAL_CA_CERT -signkey PRIVATE_KEY -out careq.csr >> And what is the best way of deploying the new CA certificate? > > > ... I mean to write here - we can publish the new certificate, but we > will have to get the new certificate to all the desktops that use the > old certificate, correct? Will this be the best way of doing the > deployment? > You could publish the renewed certificate and notify relying parties about certificate renewal - probably it requires less labour. However, if your CA root certificate is expiring soon, isn't it better idea to do a re-key (of course, if it is allowed by your policy) than to continue to use the old key-pair? (It is safer to do re-key time to time than use the same key-pair for a long period) Arsen. -- PGP Key: ID 0xBBE3DFD8 (expires: 2006-08-03) Fingerprint: 1C3B 2C01 40DF ED87 23B1 BF6F 95C4 2E77 BBE3 DFD8
smime.p7s
Description: S/MIME Cryptographic Signature
