> 4. Configure each serverX to accept client certificates > issued by old-groupX-cert OR new-groupX-cert (most server > software can be configured with a list of valid > client-cert-issuers and the SSL protocol supports that).
More or less that's the way to go. That's what I've come up with (yet in small scale): Step one: On the server use the old .pem file that includes the old server-key, server-cert, group-cert and root-cert AND add the following files to this .pem: New-Root-Cert, New-Group-Cert That way the server still uses the old key and certs so that peers with old certs can still connect. Because the new certs are available, too, the server will also accept clients that try to connect with the new certs. All clients either with new or old certificate will accept the servers cert. Step two: Now replace the cert files of all clients with new certs. Step three: After all clients have updated the certs, now replace the servers cert file with the new cert. (in step one the servers key and cert remained the old cert, that has to be replaced now). Again, thanks for your help! T. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
