<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><tt>On 31/03/2016 17:16, warron.french
wrote:</tt><tt><br>
</tt></div>
<blockquote class=" cite"
id="mid_CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y_rb_qHqZZKDQ_mail_gmail_com"
cite="mid:CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y=rb=qHqZZKDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><tt>Hello, I had to build a Certificate Authority (CA)
server for an isolated network (I know, it seems silly).</tt></div>
<div><tt><br>
</tt></div>
<div><tt>Anyway, I figured out how to create the CA service
doing a self-signed certificate that will expire in 9 years,
because it was a 10-year certificate of which 9 years
remains available.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I then created separate TLS keys and CSRs and had them
signed by the CA server.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>The 2 certificates for the "servers" (its actually all
the same 1 server with different DNS-A-Record resolvable
names) worked perfectly for the past 1 year; but I was kept
busy working on other tasks; so this isolated network got
neglected. The two (2) certificates for the servers expired
last month.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I documented how to build the CA, how to create the
CSRs and get them signed; but I didn't know how to write the
documentation for maintaining any certificates once they
expired.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I want to properly, and gracefully, manage the CA
server to do whatever is appropriate.</tt></div>
<div><tt><br>
</tt></div>
<div><tt>I believe, but do not know for sure, that what I want
to do is:</tt></div>
<div><tt>1. Revoke the expired certificates (maybe that is not
necessary or appropriate?)</tt></div>
</div>
</blockquote>
<tt><br>
</tt><tt>Not needed, only do this if the old private key
compromised.</tt><tt><br>
</tt>
<blockquote class=" cite"
id="mid_CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y_rb_qHqZZKDQ_mail_gmail_com"
cite="mid:CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y=rb=qHqZZKDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><tt>2. Clean up the CA database (with the openssl ca
-updatedb command?)</tt></div>
</div>
</blockquote>
<tt>Not needed (I think, never used that command).</tt><tt><br>
</tt>
<blockquote class=" cite"
id="mid_CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y_rb_qHqZZKDQ_mail_gmail_com"
cite="mid:CAJdJdQmBBmwoc4unKMKYTo_51GxKfta7bTJh1y=rb=qHqZZKDQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><tt>3. Then create new server certificates for the 2
servers again.</tt></div>
<div><tt><br>
</tt></div>
</div>
</blockquote>
<tt>Yep, and give the new ones a slightly different "full" <br>
distinguished name (important for CRL and "ca" database).<br>
My approach is to include the year-month as an extra OU e.g.</tt><tt><br>
</tt><tt><br>
</tt><tt>
CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany
Inc,L=YourTown,C=XX</tt><tt><br>
<br>
</tt><tt>(This of cause need to be input when generating the new
keys <br>
and requests, then checked when signing them).<br>
<br>
You should also set up a CRL generation and renewal process, <br>
so you can revoke any compromised keys and tell the clients. <br>
This would require logging on to the CA once a month to sign <br>
an (updated but unchanged) CRL and copy it to some http or <br>
ldap URL on the isolated network. Professional CAs do this <br>
daily, but that's too much work for a tiny company CA.<br>
<br>
<br>
<br>
<br>
</tt><tt><br>
<br>
</tt>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="https://www.wisemo.com">https://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>