Hello Mick: Mick wrote: <snip> > Yes it does. Keeping the same private key and generating new public key with > it seems to be a sensible thing to do from a practical point of view. >
Be careful - first of all - you can't "generate a new public key" - you can generate a new certificate request, but it will use the same public key as used in the now expired certificate - that's just how asymmetric cryptosystems work. And, the longer that a particular keypair is used, the higher the likelihood that that key will be broken or compromised. That's one of the reasons that most CA's have fairly short validity periods for user certificates and keys. And just to short circuit the discussion of "But I'm using 2048 bit keys, so I'm OK", you are probably using SHA-1 in the signature algorithm, which isn't necessarily OK. And please talk to Microsoft about backporting SHA256 into their operating systems before Vista so that we can fix that particular problem... everything else supports SHA-256, except most widely deployed versions of Windows. :) Speaking of validity periods, you should check with your CA to find out what their key lifetime rules are - most are the same as for the certificate, although I've seen variations. The key lifetimes should be listed in the Certificate Policy of the CA that you are using. Have fun. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
