On Tuesday 13. August 2013 06:17:35 redpath wrote: > I have a best practices question on CA management for signing. > > I have created CA signing cert and issue all other certs using this > CA to sign them. > > 1) I noticed that many CA examples set a term of 3650 days, is this commmon > practice
How long you issue your CA certificate depends mainly on the strength of the key and the digest algorithm used to sign it. Yes, 10 years is common, but not exactly a "rule" > 2) If I decide to revoke the CA and create a new CA what is the practice for > all the certs > on this CA do I revoke them and reissue new when needed. If you revoke a CA certificate, all certificates issued by it become invalid automatically as well. So you need to reissue them using your new CA. > > 3) Currenlty the public CRL is signed by the CA what do I do about this for > the new CA. Unless you state a different certificate within the certificate certificate, a CRL has to be signed by the CA itself. > 4) For OCSP how does this work out for the new CA, I think the OCSP can take > more than one CA > to know about, but what abut the OCSP signing cert do I create a a new > one there with the > new CA? Same as with CRL. > 5) I have an SSL cert on the current CA do I create a new one with the new > CA and simply replace the > the old one. I don't really understand your question here. What is the difference between "create a new certificate" and "replace the old certificate"? cheers Mat ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
