| Author |
Message |
Mike Robinson
Guest
|
 Posted:
Mon Jan 31, 2005 6:47 am Post subject:
Root CA expiry |
|
|
We have a client using IPSec for VPN security. All of their certificates
are due to expire on the same day within the next few weeks, and I've
figured out that the root CA certificate is also due to expire.
If I renew the root CA, will this automatically make the old certificates
obsolete? I don't want to renew too early in case all of the IPSec
certificates suddenly need to be re-done at the same time.
Will it make any difference to the validity of the current IPSec
certificates if I choose to renew with a new key or re-use the old one?
When I renew the root CA, will I have to create a new intermediary CA? I
don't seem to have any options to renew this. Can I create a new one and
still keep the old one until it expires?
Thank-you for your help
Regards
Mike |
|
| Back to top |
|
 |
Shreeniwas Kelkar [MSFT]
Guest
|
| Posted:
Tue Feb 01, 2005 3:34 am Post subject:
Re: Root CA expiry |
|
|
Even after you renew the CA, its old certificate is still valid till its
expiry date, unless you specifically revoke it.
--
Shreeniwas Kelkar [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mike Robinson" <robinson_michael@hotmail.com> wrote in message
news:%23XGz737BFHA.3528@tk2msftngp13.phx.gbl...
| Quote: | We have a client using IPSec for VPN security. All of their certificates
are due to expire on the same day within the next few weeks, and I've
figured out that the root CA certificate is also due to expire.
If I renew the root CA, will this automatically make the old certificates
obsolete? I don't want to renew too early in case all of the IPSec
certificates suddenly need to be re-done at the same time.
Will it make any difference to the validity of the current IPSec
certificates if I choose to renew with a new key or re-use the old one?
When I renew the root CA, will I have to create a new intermediary CA? I
don't seem to have any options to renew this. Can I create a new one and
still keep the old one until it expires?
Thank-you for your help
Regards
Mike |
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 01, 2005 6:48 am Post subject:
Re: Root CA expiry |
|
|
You will not have to make a new CA. The existing certificates will be fine
until they expire. A new key is more secure and the main difference as far
as I can tell is that you will then have another Certificate Revocation List
[CRL] in the CDP for newly issued certificates since they are digitally
signed by the CA's certificate. Unless you believe someone would be trying
to crack your CA's key because of sensitive information on your network they
want, you will be fine with renewing existing key --- Steve
"Mike Robinson" <robinson_michael@hotmail.com> wrote in message
news:%23XGz737BFHA.3528@tk2msftngp13.phx.gbl...
| Quote: | We have a client using IPSec for VPN security. All of their certificates
are due to expire on the same day within the next few weeks, and I've
figured out that the root CA certificate is also due to expire.
If I renew the root CA, will this automatically make the old certificates
obsolete? I don't want to renew too early in case all of the IPSec
certificates suddenly need to be re-done at the same time.
Will it make any difference to the validity of the current IPSec
certificates if I choose to renew with a new key or re-use the old one?
When I renew the root CA, will I have to create a new intermediary CA? I
don't seem to have any options to renew this. Can I create a new one and
still keep the old one until it expires?
Thank-you for your help
Regards
Mike |
|
|
| Back to top |
|
|
Mike Robinson
Guest
|
| Posted:
Thu Feb 03, 2005 7:53 pm Post subject:
Re: Root CA expiry |
|
|
| Quote: |
Thanks for your help - I've renewed the certificate, rebooted the server |
(SMTP got stuck - unrelated) and started creating new IPSec certificates.
Regards,
Kike |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in