[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Expiration of root CA

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: Expiration of root CA
From: Philippe Bloix <pbloix@gmail.com>
Date: Fri, 12 Feb 2010 17:32:46 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=kJJFe9CrbA/ayC4tQFlYhRnds6U76856Vum6gHZiYl0=; b=nDRxclgta88I71ulS/LQY2An08YzI0KZ22S262v8KeSPNfzCsk3gyhe3nXII0s2vE2 1X77wxlTtLZjcg6LMPh7lHBEZBoon571hkg4PwvUiEdDPAt2DlkBcVBfrZCyBwxxEdL2 WPg+a6HC8whPeq6E/5kVInDtO+LKbq8MEGmzE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=VE+xvqJ932EPJ1EnvTbgqo75yKB0pxBOZItQKDLZ3ofQkrnNLeMwrv1l3TkhAuUsWY K8iB2VqufBPBJN/IDgt+zTL5DUaORQcJM71F8oyz1oIJzMEwAUmcPvHuivVsSPFI8xOw 4darJk02I8inpPEU7pTJFOhbCSjffB4eJ8UXk=
In-reply-to: <201002121544.23985.bgmilne@staff.telkomsa.net>
References: <7677ebd51002110318m7d93ac4dwaadfb6a0bb618d72@mail.gmail.com> <201002121544.23985.bgmilne@staff.telkomsa.net>

Thanks Buchan but :

I've made the following tests :

1)
My current root CA : cacert.pem
My current server certificates: certificate_server.pem and certificate_server_private.pem
With these files, communication between clients and server is OK

2)
I create a new CA: cacert2.pem
and the new server certificates: certificate2_server.pem and certificate2_server_private.pem
With these certificates, communication between client and server is OK

3)
my last test is :
cacert.pem + cacert2.pem in the cacert3.pem file (this file is copied on the ldap server and each client)
certificate_server.pem + certificate2_server.pem in the certificate3_server.pem file
certificate_server_private.pem + certificate2_server_private.pem in the certificate3_server_private.pem

Before expiration time of cacert.pem, communication between client and server is OK
After expiration time of cacert.pem, communication between client and server is NOK !

What's wrong?

Regards

Philippe

2010/2/12 Buchan Milne <bgmilne@staff.telkomsa.net>

On Thursday, 11 February 2010 12:18:37 Philippe Bloix wrote:
> Hi,
>
> My root CA will expire soon. What is the best method to avoid break between
> ldap server and ldap client communication?
>
> If i create a new root CA, then i will have to copy this new root CA on
> each ldap client (several hundred). In this case, is it possible to switch
> from the old root CA to the new root CA without a break between server and
> client? How?

You should be able to deploy a new CA certificate file that contains both CA
certificates. As long as you deploy the combined CA cert file before you issue
new certs, and replace all the client or server certificates before the old CA
expires, you should have no interruption of service.

Regards,
Buchan

References:
- Expiration of root CA
  - From: Philippe Bloix <pbloix@gmail.com>
- Re: Expiration of root CA
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Where is DB_CONFIG file?
Next by Date: dynlist (at least for me) strange behaviour
Index(es):
- Chronological
- Thread