Comments (2)
I'd suggest starting over again with a fresh CA cert, one with potentially a longer lifetime. You probably would want to archive, rotate, or otherwise delete the old CA cert directory.
To the best of my knowledge, all generated certificates become effectively invalid after the CA cert has expired since anyone trying to validate the generated certs cannot do so. Sure, we could reissue with a different serial number, but I think that is just going to lead to administrative confusion with the previously generated certificates which might not have expired themselves but still would be invalid.
If you have a use case where the CA certificate can be usefully renewed, I'd be willing to reconsider.
My understanding is that in general for real certificate authorities, the ultimate signing authority root key is generally valid for very long periods of time (decades is not rare) and kept in a safe. A slave signing authority valid for a shorter period of time is generated. When the slave CA cert starts getting close to expiration (expiration - the length of sub-certificate lifetimes) a new slave CA cert is generated which is used to generate subsequent client/server certificates. What the best policy is for you, only you can say.
Probably it would be a good idea for the system to warn if the requested certificate lifetime was longer than the CA cert lifetime.
from ca-baka.
Thanks for your thorough response, it definitely cleared a few things up for me. As you might have guessed I am by no means an expert in the field of SSL so it's all still a bit foggy for me.
I did do some reading on renewing CA certificates and those seem to generate a new certificate from the old key which would produce a new compatible certificate though that would still have to be re-distributed. I think I agree with you that having a high lifetime root CA with subCAs is an easier solution.
from ca-baka.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ca-baka.