+ Reply to Thread
Results 1 to 3 of 3
  1. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #1

    Default Renewing a CA cert

    Quick queston. If you renew the CA certificate you can choose to keep the same key pair or generate new keys. Generating new keys is obviously more secure, but is this then going to expire all of the certs that were created with the old pair? I can't find a definitive answer, but it seems logicial.

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #2
    It's not quite my area of expertise but you may want to read this article: Root CA certificate renewal - ?????????? ?????? and this one: Renewing a certification authority: Public Key
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Aug 2008
    Posts
    3,951
    #3
    Quote Originally Posted by Devilsbane View Post
    Quick queston. If you renew the CA certificate you can choose to keep the same key pair or generate new keys. Generating new keys is obviously more secure, but is this then going to expire all of the certs that were created with the old pair? I can't find a definitive answer, but it seems logicial.

    Thanks
    Generally speaking, for x509 cert implementations, you can renew your CA cert off the same key pair. The only thing that expires is the public certificate, not the private keys. You'll need to distribute and install the new public CA cert through whatever means you initially distributed it. The same thing goes for client certs as well. There's no need to generate a new keypair, you just generate a new CSR off your exisiting key pair, send the CSR in for the CA to sign, and install the new cert that you get back.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks