[openssl-users] Properly manage CA-signed certificates that have expired

warron.french warron.french at gmail.com
Thu Mar 31 15:16:10 UTC 2016


Hello, I had to build a Certificate Authority (CA) server for an isolated
network (I know, it seems silly).

Anyway, I figured out how to create the CA service doing a self-signed
certificate that will expire in 9 years, because it was a 10-year
certificate of which 9 years remains available.

I then created separate TLS keys and CSRs and had them signed by the CA
server.

The 2 certificates for the "servers" (its actually all the same 1 server
with different DNS-A-Record resolvable names) worked perfectly for the past
1 year; but I was kept busy working on other tasks; so this isolated
network got neglected.  The two (2) certificates for the servers expired
last month.

I documented how to build the CA, how to create the CSRs and get them
signed; but I didn't know how to write the documentation for maintaining
any certificates once they expired.

I want to properly, and gracefully, manage the CA server to do whatever is
appropriate.

I believe, but do not know for sure, that what I want to do is:
1.  Revoke the expired certificates (maybe that is not necessary or
appropriate?)
2.  Clean up the CA database (with the openssl ca -updatedb command?)
3.  Then create new server certificates for the 2 servers again.

I don't want to use the same 1 certificate for 2 services, because I have
one for TLS-securing the LDAP service making it an ldapS:// url, and the
other is for TLS-securing the AdminConsole of the same 389-ds
implementation.

Please help, I don't know what terminology I am looking for to properly
pursue what a Professional CA (like Verisign, or wherever) would do.



Thanks,
--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160331/150b621d/attachment-0001.html>


More information about the openssl-users mailing list