On 03/05/2016 04:36 AM, Jan Just Keijser wrote: > Hi, > > On 04/03/16 22:58, ValdikSS wrote: > how did you generate the cross-signed CA certs? I've looked around but all > cross-signing either requires you to use the same private key (i.e. bit size) > or > that you extend the trust of one CA with that of another. The first is of no > help as the key size needs to be different. The second (extending trust) does > not > work as you'd need to install this cross-trust CA at the client side. I > found this interesting example on how to generate cross-signed certs here: > https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl
I've signed my new CA's private key (4096 bit) with old CA (1024 bit) and it became intermediate to my old CA (what you call extending trust), but also issued self-signed new CA. I issue server certificates with new CA. Current users trust only old CA, so to make them connect to the servers with server certificates issued by new CA, we should either add cross-signed (intermediate) certificate on the client side, or push it from server. The latest I'm trying to achieve. New clients will get configuration files with new CA inside, and they would be able to successfully connect, since intermediate certificate, pushed from server, would be just ignored. Old clients would eventually update configuration files too. After some time, we'll move all users to new CA and remove intermediate certificate from server. > > > JJK > >
signature.asc
Description: OpenPGP digital signature
