On 11/05/2012 11:40 AM, Rob Crittenden wrote:
Here is the same question I asked last week, this time by someone
planning ahead.
They have an externally-signed IPA dogtag CA whose external CA expires
soon. How do they go about renewing things? I assume they need to
renew the external CA first. Does it make a difference if the external
CA is rekeyed?
Unless there is a legitimate concern about key exposure, or there is a
policy regarding how long a CA signing key pair can be used, in general,
renewing a CA signing certificate with the same key pair is a much simpler.
Here is a link on how to do so:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System...
look under
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
Things are a bit more complicated if a CA is "re-keyed". This is
because of the need to populate the new trust and maintain the old, the
continued support of revocation with the old, and then there is also
dual generation of CRL's etc. It's more of a hassle in a deployment,
but of course not undoable.
Christina
rob
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel