[openssl-users] Properly manage CA-signed certificates that have expired
warron.french
warron.french at gmail.com
Thu Mar 31 15:16:10 UTC 2016
Hello, I had to build a Certificate Authority (CA) server for an isolated
network (I know, it seems silly).
Anyway, I figured out how to create the CA service doing a self-signed
certificate that will expire in 9 years, because it was a 10-year
certificate of which 9 years remains available.
I then created separate TLS keys and CSRs and had them signed by the CA
server.
The 2 certificates for the "servers" (its actually all the same 1 server
with different DNS-A-Record resolvable names) worked perfectly for the past
1 year; but I was kept busy working on other tasks; so this isolated
network got neglected. The two (2) certificates for the servers expired
last month.
I documented how to build the CA, how to create the CSRs and get them
signed; but I didn't know how to write the documentation for maintaining
any certificates once they expired.
I want to properly, and gracefully, manage the CA server to do whatever is
appropriate.
I believe, but do not know for sure, that what I want to do is:
1. Revoke the expired certificates (maybe that is not necessary or
appropriate?)
2. Clean up the CA database (with the openssl ca -updatedb command?)
3. Then create new server certificates for the 2 servers again.
I don't want to use the same 1 certificate for 2 services, because I have
one for TLS-securing the LDAP service making it an ldapS:// url, and the
other is for TLS-securing the AdminConsole of the same 389-ds
implementation.
Please help, I don't know what terminology I am looking for to properly
pursue what a Professional CA (like Verisign, or wherever) would do.
Thanks,
--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160331/150b621d/attachment-0001.html>
More information about the openssl-users
mailing list