On 31/03/2016 17:16, warron.french wrote:
Hello, I had to build a Certificate Authority (CA) server for an
isolated network (I know, it seems silly).
Anyway, I figured out how to create the CA service doing a self-signed
certificate that will expire in 9 years, because it was a 10-year
certificate of which 9 years remains available.
I then created separate TLS keys and CSRs and had them signed by the
CA server.
The 2 certificates for the "servers" (its actually all the same 1
server with different DNS-A-Record resolvable names) worked perfectly
for the past 1 year; but I was kept busy working on other tasks; so
this isolated network got neglected. The two (2) certificates for the
servers expired last month.
I documented how to build the CA, how to create the CSRs and get them
signed; but I didn't know how to write the documentation for
maintaining any certificates once they expired.
I want to properly, and gracefully, manage the CA server to do
whatever is appropriate.
I believe, but do not know for sure, that what I want to do is:
1. Revoke the expired certificates (maybe that is not necessary or
appropriate?)
Not needed, only do this if the old private key compromised.
2. Clean up the CA database (with the openssl ca -updatedb command?)
Not needed (I think, never used that command).
3. Then create new server certificates for the 2 servers again.
Yep, and give the new ones a slightly different "full"
distinguished name (important for CRL and "ca" database).
My approach is to include the year-month as an extra OU e.g.
CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany
Inc,L=YourTown,C=XX
(This of cause need to be input when generating the new keys
and requests, then checked when signing them).
You should also set up a CRL generation and renewal process,
so you can revoke any compromised keys and tell the clients.
This would require logging on to the CA once a month to sign
an (updated but unchanged) CRL and copy it to some http or
ldap URL on the isolated network. Professional CAs do this
daily, but that's too much work for a tiny company CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
