Re: how to renew the root cert

Thu, 16 Feb 2012 01:52:40 -0800 

On 2/16/2012 10:29 AM, T. Valent wrote:

4. Configure each serverX to accept client certificates
issued by old-groupX-cert OR new-groupX-cert (most server
software can be configured with a list of valid
client-cert-issuers and the SSL protocol supports that).

More or less that's the way to go.

That's what I've come up with (yet in small scale):

Step one:
On the server use the old .pem file that includes the old server-key,
server-cert, group-cert and root-cert
AND
add the following files to this .pem:
New-Root-Cert, New-Group-Cert

This might interact badly with the TLS certificate chain bug
discussed in another thread on this list this week.

Unless your software is very unusual, it should be taking two
.pem files as input:  One describing trusted client certs
(list both group certs, but no root certs there) and one
describing its own cert and the validation chain to send to
clients (list only one cert and its parents, either old or
new set).

Omitting the root certs from the client trust list ensures
that clients certs from other groups cannot be considered
valid.  Omitting the unused set of certs from the server
chain ensures the server chain is a plain bottom-to-root
chain as required by the SSL/TLS protocol specifications.



That way the server still uses the old key and certs so that peers with
old certs can still connect. Because the new certs are available, too,
the server will also accept clients that try to connect with the new
certs. All clients either with new or old certificate will accept the
servers cert.


Step two:
Now replace the cert files of all clients with new certs.


Step three:
After all clients have updated the certs, now replace the servers cert
file with the new cert. (in step one the servers key and cert remained
the old cert, that has to be replaced now).

Again, thanks for your help!

T.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to