Hi Sven,
> -----Original Message-----
> From: Sven Reissmann
>
> What I want to achieve is having a new rootCA, which replaces an
> oldRootCA, which I am using until now.
>
> So far the trust chain is: oldRoot -> oldServerCert.
>
> What I thought should be possible is building this trust chain:
> oldRoot -> newRoot -> newSubCA -> newServerCert
>
> As Users are trusting oldRoot, changing the oldServerCert to
> newServerCert is no problem. After some time, users would move trust to
> newRoot and I can "disable" oldRoot.
>
> This doesn't seem possible, if I understand your answers correct.
>
> Is there another/better/default way of smoothly changing a trust anchor?
> I.e. by cross-signing the newRoot by itself and the oldRoot?
Just add the new root-CA certificate to all relevant truststores. Afterwards
you can start issueing certificates that are trusted by all parties with
updated truststores.
HTH,
Patrick Eisenacher
:��I"Ϯ��r�m�����
(����Z+�K��+����1���x���h����[�z�(����Z+����f�y���������f���h��)z{,���
