From: Diego de F. <die...@gm...> - 2006-12-14 09:57:47
|
In my experience, if you want to recreate all by scratch, you must empty databases but also the OpenSSL files. Remember that OpenCA uses OpenSSL to perform all cryptographic operations, so you must empty or restart the files: index.txt, crlnumber, serial. If you don't to this you'll have CRLs with high serial numbers and with old certificate serials inside. On 12/14/06, Francois Pernet <Fra...@id...> wrote: > Thank you Diego for all these detailed explanations....In fact, after reviewing the procedure the customer decided to blank the certificate database en both CA and RA Node beacuse not too many cert has been already delivered. > > Is there a good way to zero the database (and then recreat eeverything : secret, cacert, ca op, ra op, etc...) except removing the berkeley files directly ? Remember we have CA node on one side (offline) and RA + LDAP + PUB node on the other side.... > > Thank you > > Francois > > >>> "Diego de Felice" <die...@gm...> 08.12.2006 15:07 >>> > A self signed CA is a root CA, so you cannot revoke it like a normal > certificate. In theory, to revoke a root CA (you do this only for a CA > key compromise or CA dismissing) you must first of all revoke all > issued certificates, issue a new CRL, destroy the CA key pair, inform > all the certificate holders of the event and inform them to put the CA > certificate in the Untrusted Root Certification Authority of their > certificate store. > > However, you DON'T need to make this mess, because you only want to > renew the CA certificate using the preexisting key pair, so you don't > need to revoke anything. All the new and old issued certificates will > be verified against this new CA certificate because its public key is > always the same. However, some software can have problems because the > DN change (if you note, on Windows, in the trust chain, a certificate > is related to the CA through the DN found in the Issuer field of the > certificate, however it informs you that there is a problem if the > sign doesn't match). > > If you want to change the key pair instead, you must do a simple procedure: > > 1. Generate the new key pair > 2. Create a PKCS10 signed with the old key pair (OldP10) > 3. Create a PKCS10 signed with the new key pair (NewP10) > 4. Issue the certificate for NewP10 by signing it with the old key > pair (it will be named NewWithOld) and save it in safe place > 5. Save in safe place the old CA certificate (OldWithOld) > 6. Issue the new CA certificate selfsigning NewP10 (NewWithNew) > 7. Issue the certificate for OldP10 by signing it with the new key > pair( it will be named OldWithNew) and save it in a safe place > > All these procedures are not assisted in OpenCA, but it is very simple > to perform then using the background OpenSSL environment used by > OpenCA itself :-) > > P.S.: Correct me if something is not clear or incorrect. > > > On 12/8/06, Francois Pernet <Fra...@id...> wrote: > > Hi > > > > We will be obliged to regenerate the CA certificate (self signed) because we need to change the DN of the CA . We won't change the secret key but only the cert. We will revoke actual CA and then create a new CA cert. > > > > Is there any chance that we won't be obliged to recreate each certificate ? > > Already published certificates will be able to be verified against this new CA Cert ? > > Is there any issue when doing such operation ? > > > > Thx > > > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share your > > opinions on IT & business topics through brief surveys - and earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Openca-Users mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > -- > Diego > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openca-users > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openca-users > -- Diego |