On 01/14/2010 09:36 AM, James Wright wrote:

Hi

 

This may be a couple of stupid questions but here goes:

1. How do I set the validity period for the first self signed CA certificate to be more than the default 2 years?

http://www.redhat.com/docs/manuals/cert-system/8.0/admin/Admin_Guide.pdf
for validity constraints
and for a CA profile:
/var/lib/pki-<instance_id>/profiles/ca/caCACert.cfg
near
policyset.caCertSet.2.constraint.class_id=validityConstraintImpl

2. when the CA certificate expires will I need to renew all my end user certificates or just renew my CA certificate?

always renew a CA cert in advance, otherwise trust chain can no longer be verified.
renewal can only happen on a valid cert, before expiration, otherwise this is a re-issuance.

 

Thanks

James

 

 

--------------------------------------------------------------------
This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd.

Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful.

If you have received this message in error please notify SMA Financial Ltd or contact the sender. 

Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message.

http://www.sma.co.uk/email-disclaimer


_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users