[Pki-users] CA validity period
Marc Sauton
msauton at redhat.com
Thu Jan 14 17:53:49 UTC 2010
On 01/14/2010 09:36 AM, James Wright wrote:
>
> Hi
>
> This may be a couple of stupid questions but here goes:
>
> 1. How do I set the validity period for the first self signed CA
> certificate to be more than the default 2 years?
>
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/Admin_Guide.pdf
for validity constraints
and for a CA profile:
/var/lib/pki-<instance_id>/profiles/ca/caCACert.cfg
near
policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
>
> 2. when the CA certificate expires will I need to renew all my end
> user certificates or just renew my CA certificate?
>
always renew a CA cert in advance, otherwise trust chain can no longer
be verified.
renewal can only happen on a valid cert, before expiration, otherwise
this is a re-issuance.
>
> Thanks
>
> James
>
> --------------------------------------------------------------------
> This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
>
> Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd.
>
> Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful.
>
> If you have received this message in error please notify SMA Financial Ltd or contact the sender.
>
> Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message.
>
> http://www.sma.co.uk/email-disclaimer
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100114/fa7eaf03/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6650 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100114/fa7eaf03/attachment.p7s>
More information about the Pki-users
mailing list