Hi Gabriel, as Martin already wrote - the recommended way is to create a new CA hierarchy every "X" years and perform a so called "CA Rollover" - for the "standard use case" of TLS certificates we usually recommend 3 years active operation for a CA generation to our customers and exchange the full hierarchy every three years. With a one year validity for end-entity certificates and some operational reserve, 5 years validity for the issuing certificate and 10 years for the root is a good rule of thumb but ymmv.
On the OpenXPKI side a Ca rollover is as easy as importing the new CA certificate (and its key of course) into the system the same way you do with the initial one. OpenXPKI can have an unlimited number of CA certificates in a single realm and just picks the one with the most recent notbefore date, so there is no need to change anything else in the software. The "challenge" is to distribute the new root ca to your environment, OpenXPKI supports this rollover as defined in SCEP and EST protocols, our client software "CertNanny" can manage the client side. best regards Oliver Am 05.08.21 um 19:29 schrieb Gabriel Carissimo: > Oliver > I have a question regarding the validity of the CA and the validity of > the certificates, how is it when Ex: the validity of the CA is 5 > years, and the validity of the certificates is 2 years, which happens > when the 4 year is reached validity of the CA and it is intended to > generate certificates for 2 years, are the requests paused? What would > be a good practice? have a CA with 50 years? > > thanks > Gabriel > > El jue, 5 ago 2021 a las 12:14, Oliver Welter (<[email protected] > <mailto:[email protected]>>) escribió: > > It looks like you want to issue a certificate with a validity of > 15 years....(hope you know what you are doing) but your CA > certificate is not valid at this point in time. OpenXPKI uses the > "shell model" which requires that the CA lifetime is at least > equal to the signed certificates lifetime. > > So either you reduce the validity or you must create a new issuing > ca that has a sufficient long validity period. > > Oliver > > Am 05.08.21 um 16:14 schrieb Gabriel Carissimo: >> Thank you very much, how always to you Oliver! >> >> The only error that I detect is the openxpki.log and it is the >> following: >> 2021/08/05 11:02:13 ERROR Could not find token alias by group; >> __group__ => ca-signer, __noafter__ => 2101557733, __notbefore__ >> => 1628172133, __pki_realm__ => XXXXXX >> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935] >> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic >> exception]; reset workflow to old state >> 'APPROVED_GLOBAL_PERSIST_CSR_0' >> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935] >> >> what should I do? >> >> thanks >> Gabriel >> >> El jue, 5 ago 2021 a las 3:23, Oliver Welter (<[email protected] >> <mailto:[email protected]>>) escribió: >> >> Hi, >> >> I assume this is the CSR "issue certificate" step - the >> backend error is usually a problem with the openssl call to >> create the certificate, check the errors logs. >> >> Oliver >> >> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo: >>> Hi friends >>> I am receiving this message, I attach an image, what could >>> be happening? >>> >>> >>> >>> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing >>> >>> <https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing> >>> >>> thanks >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
