Hi Ralf, > In my opinion, the delivery of all online certificates would be a good > solution to make a rollover successful.
That is debatable. In our opinion Issuing CA certificates - in contrast to Root CA certificates - should not be distributed to relying parties. Instead, end entities should send the necessary chain belonging to their own end entity certificate (minus the Root, of course) to relying parties. But this is a general PKI architecture topic and clearly outside the scope of this mailing list. Contact White Rabbit Security if you require generic PKI consulting. > We issue a new issuing certificate every 4 years which is valid for 8 years. > This ensures that a server certificate that was issued with the "old" issuing > certificate shortly before the 4-year period expires can still be validated > until end of its lifetime. This means that there will always be a period > during which two valid issuing certificates are required. If we only ever > receive the last issuing certificate, all servers would have to renew their > certificate. This is not correct if your end entities send their own chain. > Our systems validate the server certificates every time communication is > established and, in the case of the VPN tunnel, by rekeying every 2.5 hours, > i.e. we would have to complete the rollover to the latest issuing certificate > in 2.5 hours. Sure, not a problem with OpenXPKI. OpenXPKI can perform a rollover at runtime, without the need to interrupt or restart the OpenXPKI service. If your PKI architecture is set up properly, not a single participant will notice it. > Is there a notification mechanism in openxpki that the CA could use to inform > its peripheral systems about the CA certificate exchange? Yes, this is possible, but it is not necessary if the PKI is designed correctly. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
