On 11/05/2012 11:40 AM, Rob Crittenden wrote:
Here
is the same question I asked last week, this time by someone
planning ahead.
They have an externally-signed IPA dogtag CA whose external CA
expires soon. How do they go about renewing things? I assume they
need to renew the external CA first. Does it make a difference if
the external CA is rekeyed?
Unless there is a legitimate concern about key exposure, or there is
a policy regarding how long a CA signing key pair can be used, in
general, renewing a CA signing certificate with the same key pair is
a much simpler.
Here is a link on how to do so:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/managing-ca-related-profiles.html
look under
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's
Validity Period
Things are a bit more complicated if a CA is "re-keyed". This is
because of the need to populate the new trust and maintain the old,
the continued support of revocation with the old, and then there is
also dual generation of CRL's etc. It's more of a hassle in a
deployment, but of course not undoable.
Christina
rob
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel