I found your question quite interesting, I thought it wasn't possible in the beginning but I found some documentation related to this stuff after some time.
http://www.qxmail.com/bio/structuredarts/docs/edu/reissue.htm
This link is documentation related to how to reissue the Root CA certificate by using Netscape Certificate Server (propietary software), anyway I think it's nice to reissue your Root CA by using OpenSSL, it makes sense what it says.
Here comes the magical recipe:
1) You must generate a request (pkcs#10) with the same Distinguish Name and NotBefore (beginning date) fields (I would also use the same EmailAddress...). The NotAfter must be older than the first one. The extensions must be also the same (nsCertType, nsXXXXX...).
2) Use the same Private Key to self-sign the Root CA cert.
3) Load the new Root CA cert to all server and clients.
I didn't try this and I cannot do it at this moment, so let me know how everything goes.
Pablo
David wrote:
Hello list,
I've a some questions about reissuing of CA certificates. Imagine I've got
the following hierarchy within my PKI.
TLCA | CA | end-entities
If the CA-certificate is about to expire before the certificates of the end-entities do, can i reissue the CA certificate with an extended validity period to work around this ?
If yes, Can I do this by issuing a certificate with the same public-key, CN and subjectKeyIdentifier from the current CA-certificate? Cause that are the only "fields" which are used within the verifying process, if I'm right.
I hope someone can shine some light on this situation,
Thanks in advange,
David
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
