Renewing CA about ca-baka HOT 2 CLOSED

I'd suggest starting over again with a fresh CA cert, one with potentially a longer lifetime. You probably would want to archive, rotate, or otherwise delete the old CA cert directory.

To the best of my knowledge, all generated certificates become effectively invalid after the CA cert has expired since anyone trying to validate the generated certs cannot do so. Sure, we could reissue with a different serial number, but I think that is just going to lead to administrative confusion with the previously generated certificates which might not have expired themselves but still would be invalid.

If you have a use case where the CA certificate can be usefully renewed, I'd be willing to reconsider.

My understanding is that in general for real certificate authorities, the ultimate signing authority root key is generally valid for very long periods of time (decades is not rare) and kept in a safe. A slave signing authority valid for a shorter period of time is generated. When the slave CA cert starts getting close to expiration (expiration - the length of sub-certificate lifetimes) a new slave CA cert is generated which is used to generate subsequent client/server certificates. What the best policy is for you, only you can say.

Probably it would be a good idea for the system to warn if the requested certificate lifetime was longer than the CA cert lifetime.

from ca-baka.

Thanks for your thorough response, it definitely cleared a few things up for me. As you might have guessed I am by no means an expert in the field of SSL so it's all still a bit foggy for me.

I did do some reading on renewing CA certificates and those seem to generate a new certificate from the old key which would produce a new compatible certificate though that would still have to be re-distributed. I think I agree with you that having a high lifetime root CA with subCAs is an easier solution.

from ca-baka.