Re: [Ejbca-develop] Beginners question about (SUB)CA renewal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

On 2015-06-16 21:26, aw-...@mw... wrote:
> I am playing around with the current release of EJBCA having a Root CA
> and a Sub CA.
>
> I came accross some questions in relation to renew of a (Sub CA):
>
>    * When I renew a (SUB)CA I assume that a new certificate is issued and
>      signed by the Root CA. I wonder about the old/previous
>      certificates.
>       1. Can I find them somewhere in the EJBCA?
>          I can list them with cli 'ejbca ca listexpired 10000'

Should be possible yes.

>       2. Can I revoke an old certificate (renewed) of a SUBCA without
>          revoking the whole CA?

I don't think so.

>
>    * When I edit the Sub CA and check on renew the "create link
>      certificate" and "generate new key" I get an exception. I only get
>      the download link to the "link certificate"
>       1. renew with "generate new key"

Are you using the latest EJBCA 6.3.1.1?

>       2. renew a 2nd time with "create link certificate" - after this
>          step I get download links for the Link certificate
>          Is this one signed with the key I had before step 1?

This should be so yes.

Regards,
Tomas