Bonjour, Hodie XV Kal. Iun. MMXI, Jean-Ann GUEGAN scripsit: > Hi ! > > It’s possible to renew a Certificate Autority or extend the date validity > ?
These 2 options are possible. "Recertify" (i.e. sign the same certificate, but change the serial number and validity dates) is the least problematic solution, as the same public key will be used to validate the certificates and CRLs. "Renew" (i.e. create a entirely new certificate, strictly keeping the same exact subject DN, changing the key, validity dates, and potentially the extensions) is covered by the X.509 standard (a CA is a name, not a certificate). Sadly, you can't be sure it's correctly dealt with by verifiers. The new objects (certificates and CRLs) will be signed by the new CA key, the CRLs will cover both "old" and "new" certificates (by old, I mean those signed by the old CA certificate). If your CA is a root, and you want RFC5280 compliance, you MUST produce one CRL for each root CA certificate (and adapt the crlDistributionPoints). -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
