On 03/05/2016 08:24 AM, ValdikSS wrote: > > > On 03/05/2016 04:36 AM, Jan Just Keijser wrote: > > I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it > became intermediate to my old CA (what you call extending trust), but also > issued > self-signed new CA. I issue server certificates with new CA. > > Current users trust only old CA, so to make them connect to the servers with > server certificates issued by new CA, we should either add cross-signed > (intermediate) certificate on the client side, or push it from server. The > latest I'm trying to achieve. > > New clients will get configuration files with new CA inside, and they would > be able to successfully connect, since intermediate certificate, pushed from > server, would be just ignored. Old clients would eventually update > configuration files too. After some time, we'll move all users to new CA and > remove > intermediate certificate from server. > > Just to clarify, both self-signed new CA and cross-signed new CA share the same private key.
signature.asc
Description: OpenPGP digital signature
