This is a discussion on own Certificate Authority: Renewal of CA cert - Openssl ; Hello list, let me say first that I'm not too deep into the secrets of openssl, I just like it as being a stable, great-working software for all concerns of dealing with encryption and especially x.509 certificates for my VPN ...
let me say first that I'm not too deep into the secrets of openssl, I just like it as being a stable, great-working software for all concerns of dealing with encryption and especially x.509 certificates for my VPN connections, webservers, and so on.
I got one big problem for now: My self-signed CA cert will expire in about one month. I installed it 4 years ago and never minded about, but now I have to renew it.
The Creation of a whole new CA and client certificates isn't possible for me because of the large number of clients using my certs (VPN Roadwarriors, Webservers, Mailservers, and so on).
Since I didn't find very much useful information on the net concerning the renewal of certificates (might be I did the wrong searches?), I want to ask you some points:
- First of all, is there any HowTo that deals not only with creaton, but also with the renewal of self-signed CA certs in detail?
More detailed, and for addressing my actual problem right now, I'd need to know
- Is it possible to renew a CA cert that way, that those user certs which I signed with the old CA cert shortly (means less than one year) ago, still remain valid?
- if yes, how would I manage this using the good old openssl commands ?
- I assume I have to replace the old with the new CA cert on every client machine where it is installed, as long as I don't set up a web based (e.g. url-fetching) mechanism - correct?
Your help is GREATLY appreciated - and thanks a lot in advance.
- down to his knees - ;-)
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com