[openssl-users] Properly manage CA-signed certificates that have expired

Salz, Rich rsalz at akamai.com
Thu Mar 31 16:11:26 UTC 2016

> Yep, and give the new ones a slightly different "full" 
> distinguished name (important for CRL and "ca" database).
> My approach is to include the year-month as an extra OU e.g.
>  CN=foo.example.private,OU=isonetwork,OU=2016-03,O=YourCompany Inc,L=YourTown,C=XX

Ooh, that's neat advice!

Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz

More information about the openssl-users mailing list