LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Expiring CA ?? (https://www.linuxquestions.org/questions/linux-security-4/expiring-ca-256959/)

michael_util 11-19-2004 02:52 PM
Expiring CA ??
 
Hello,

We have a internal web server running apache with ssl. We have setup our own CA and have used it to sign certs for other internal web servers.

Our CA expires in Jan 2005 :( What is the best way to handle this ?

Do I just simple make a new CA using the same key files ?? with a new expire date and hand it out to the desktops ?

Do I need to make new certs for the sites and sign them with the new CA ?

Michael.

bignerd 11-19-2004 03:14 PM
Re: Expiring CA ??
 
Quote:
Originally posted by michael_util
Hello,

We have a internal web server running apache with ssl. We have setup our own CA and have used it to sign certs for other internal web servers.

Our CA expires in Jan 2005 :( What is the best way to handle this ?

Do I just simple make a new CA using the same key files ?? with a new expire date and hand it out to the desktops ?

Do I need to make new certs for the sites and sign them with the new CA ?

Michael.
I'm not CA expert but it's been my understanding that any cert that is signed by a CA goes poof if the CA cert expires. The clients can still accept I believe but the certs will be identified as invalid.

My advice. Make a new CA Cert then make new certs for the sites and sign them with the new CA.

I would never suggest you use the same key files. Generate new (memory getting foggy) RSA pub/priv keys. Assuming you are using RSA based certs. There is also DSA but I don't think this is mainstream except maybe in government.

-b


All times are GMT -5. The time now is 12:00 AM.