own Certificate Authority: Renewal of CA cert

Hello list,

let me say first that I'm not too deep into the secrets of openssl, I just like it as being a stable, great-working software for all concerns of dealing with encryption and especially x.509 certificates for my VPN connections, webservers, and so on.

I got one big problem for now: My self-signed CA cert will expire in about one month. I installed it 4 years ago and never minded about, but now I have to renew it.
The Creation of a whole new CA and client certificates isn't possible for me because of the large number of clients using my certs (VPN Roadwarriors, Webservers, Mailservers, and so on).
Since I didn't find very much useful information on the net concerning the renewal of certificates (might be I did the wrong searches?), I want to ask you some points:

- First of all, is there any HowTo that deals not only with creaton, but also with the renewal of self-signed CA certs in detail?

More detailed, and for addressing my actual problem right now, I'd need to know

- Is it possible to renew a CA cert that way, that those user certs which I signed with the old CA cert shortly (means less than one year) ago, still remain valid?
- if yes, how would I manage this using the good old openssl commands ?

- I assume I have to replace the old with the new CA cert on every client machine where it is installed, as long as I don't set up a web based (e.g. url-fetching) mechanism - correct?

Your help is GREATLY appreciated - and thanks a lot in advance.

Andreas Grimmel
System Administrator
- down to his knees - ;-)


______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]