I have a best practices question on CA management for signing.
I have created CA signing cert and issue all other certs using this
CA to sign them.
1) I noticed that many CA examples set a term of 3650 days, is this commmon
practice
2) If I decide to revoke the CA and create a new CA what is the practice for
all the certs
on this CA do I revoke them and reissue new when needed.
3) Currenlty the public CRL is signed by the CA what do I do about this for
the new CA.
4) For OCSP how does this work out for the new CA, I think the OCSP can take
more than one CA
to know about, but what abut the OCSP signing cert do I create a a new
one there with the
new CA?
5) I have an SSL cert on the current CA do I create a new one with the new
CA and simply replace the
the old one.
--
View this message in context:
http://openssl.6102.n7.nabble.com/Best-Practices-CA-manage-tp46134.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
