[Ejbca-develop] Beginners question about (SUB)CA renewal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I am playing around with the current release of EJBCA having a Root CA
and a Sub CA.

I came accross some questions in relation to renew of a (Sub CA):

  * When I renew a (SUB)CA I assume that a new certificate is issued and
    signed by the Root CA. I wonder about the old/previous
    certificates.
     1. Can I find them somewhere in the EJBCA?
        I can list them with cli 'ejbca ca listexpired 10000'
     2. Can I revoke an old certificate (renewed) of a SUBCA without
        revoking the whole CA?

  * When I edit the Sub CA and check on renew the "create link
    certificate" and "generate new key" I get an exception. I only get
    the download link to the "link certificate"
     1. renew with "generate new key"
     2. renew a 2nd time with "create link certificate" - after this
        step I get download links for the Link certificate
        Is this one signed with the key I had before step 1?

Thanks in advance for your help!

Andreas