CA Expiry impact on subCA's ?

Help
2011-09-06
2013-02-18
  • Geert Janssens

    Geert Janssens - 2011-09-06

    Hi, I have a master CA set up, valid for 10 years. This was a couple of years ago, so it is now still valid for say 5 years. I want to create a subCA which should also be valid for 10 years. If I sign this subCA with the master CA, what will happen in 5 years when the master CA expires ?
    Will clients that verify certificate expiry dates complain about this ? "The subCA was signed with a CA that has expired"
    And if I simply renew the master CA at that time, will the clients then consider the subCA valid even though it was signed with the previous master CA certificate ?

    Thanks for shedding some light on this.

    Geert

     
  • J Eklund

    J Eklund - 2011-09-06

    Since your root will be invalid after 5 years, no certificate chain that leads up to this can be valid. EJBCA will not let you create a SubCA with a validity that is longer than the Root's. So.. I would suggest that you renew your root right before you create the SubCA. Since it was a while ago and you probably want to upgrade your installation at the same time, just check out www.primekey.se if you think you will need a helping hand during this process.

    Best Regards,
    Johan

     
  • Geert Janssens

    Geert Janssens - 2011-09-06

    Thank you for your reply.

    I upgraded the installation fairly recently, so I'm only facing the subCA validity issue right now.

    What impact has renewal of the root have on the certificates that had been issued so far ? Will they be invalidated or is the old root still considered valid ?

     
  • Geert Janssens

    Geert Janssens - 2011-09-06

    I accidentally hit the Add Reply button, but I had a second question still:
    When I create a new root certificate, I suppose my users will get warnings in their browsers when they are presented a certificate signed by the new root ? Or is there a way I can have them automatically trust the new root based on its relationship to the old root ?

    Best regards,

    Geert

     
  • Anonymous - 2011-09-07

    If you use the existing key everything should work as before but since the new root certificate anyway must be distributed this doesn't make much of a difference except that you should be able to replace the old root.

    Regards,
    Anders

     
  • Geert Janssens

    Geert Janssens - 2011-09-07

    Ok, thank you for the details.

    Best regards,

    Geert

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks