On Thu, Apr 20, 2006 at 04:42:53PM +0100, John Francis wrote:
> A word of warning, this was done to satisfy some test data.
>
>
>
> In fact you shouldn't be doing this at all.you should create a new private
> key..
>
>
>
> The only reason to preserve the old private key is if there is something out
> there signed with it and if this is the root CA and its public cert has
> expired you really shouldn't allow anything out there to remain valid
> anyway. By issuing a new cert with the old key you are actually allowing old
> certificates possibly to validate.
Those would be old certificates, whose expiration time post-dates the
expiration time of the CA. Usually that is not a problem and sometimes
(a CA signing a 1 year certificate in the last year of the CA's validity)
it allows one to make up for harmless procedural errors.
Generally a CA's lifetime is a reasonable multiple of the maximum lifetime
of the certificates it signs, and a new CA cert is minted distributed
to the world at large, and then used well before before the old CA
becomes invalid.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
