own Certificate Authority: Renewal of CA cert
let me say first that I'm not too deep into the secrets of openssl, I just like it as being a stable, great-working software for all concerns of dealing with encryption and especially x.509 certificates for my VPN connections, webservers, and so on.
I got one big problem for now: My self-signed CA cert will expire in about one month. I installed it 4 years ago and never minded about, but now I have to renew it.
The Creation of a whole new CA and client certificates isn't possible for me because of the large number of clients using my certs (VPN Roadwarriors, Webservers, Mailservers, and so on).
Since I didn't find very much useful information on the net concerning the renewal of certificates (might be I did the wrong searches?), I want to ask you some points:
- First of all, is there any HowTo that deals not only with creaton, but also with the renewal of self-signed CA certs in detail?
More detailed, and for addressing my actual problem right now, I'd need to know
- Is it possible to renew a CA cert that way, that those user certs which I signed with the old CA cert shortly (means less than one year) ago, still remain valid?
- if yes, how would I manage this using the good old openssl commands ?
- I assume I have to replace the old with the new CA cert on every client machine where it is installed, as long as I don't set up a web based (e.g. url-fetching) mechanism - correct?
Your help is GREATLY appreciated - and thanks a lot in advance.
- down to his knees - ;-)
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]