[Openvpn-users] --crl-verify and transitioning from an expiring CA cert

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm using easy-rsa 2.0 and thinking ahead to what will
happen when my root CA expires.  I can generate another
root CA and start all over with an entire fresh
PKI/easy-rsa directory.   Because --ca file can contain multiple
certificates in pem format, appended to one another,
I can use both the old and new root certificates
during a transition period before the old root cert
expires.

It's kind of nice to think of starting over with
a new PKI, and retiring all the old cruft after
everyone's using the new root CA cert.

What I'm wondering about is what to do with the
certificate revocation list.  The docs on --crl-verify
do _not_ say that the file can contain multiple crls
in pem format.  So the question is how to continue
to revoke certificates associated with the old root
CA cert, while still being able to revoke certificates
associated with the new CA cert?  (I assume that the
crl is signed by the root ca.)

My guess, based on the openssl verify docs, is that
it might be possible to have the --crl-verify
file consist of multiple appended crls in pem format.
Regardless, it seemed safest to ask here about
the appropriate procedures to follow when (or some
time before!) the root CA cert expires.

Thanks.

Karl <ko...@me...>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

[Openvpn-users] --crl-verify and transitioning from an expiring CA cert

Robust and flexible VPN network tunnelling

[Openvpn-users] --crl-verify and transitioning from an expiring CA cert