[Pki-users] CA validity period

James Wright James.Wright at sma.co.uk
Thu Jan 14 18:01:56 UTC 2010 

Thanks for the fast response I try it tomorrow
James



----- Original Message -----
From: Marc Sauton <msauton at redhat.com>
To: James Wright
Cc: pki-users at redhat.com <pki-users at redhat.com>
Sent: Thu Jan 14 17:53:49 2010
Subject: Re: [Pki-users] CA validity period

On 01/14/2010 09:36 AM, James Wright wrote:
>
> Hi
>
> This may be a couple of stupid questions but here goes:
>
> 1. How do I set the validity period for the first self signed CA 
> certificate to be more than the default 2 years?
>
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/Admin_Guide.pdf
for validity constraints
and for a CA profile:
/var/lib/pki-<instance_id>/profiles/ca/caCACert.cfg
near
policyset.caCertSet.2.constraint.class_id=validityConstraintImpl
>
> 2. when the CA certificate expires will I need to renew all my end 
> user certificates or just renew my CA certificate?
>
always renew a CA cert in advance, otherwise trust chain can no longer 
be verified.
renewal can only happen on a valid cert, before expiration, otherwise 
this is a re-issuance.
>
> Thanks
>
> James
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    


--------------------------------------------------------------------
This message and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

Any views or opinions presented in this message are solely those of the author and do not necessarily represent those of SMA Financial Ltd.

Access to this message by anyone else is unauthorised. If you are not the intended recipient or the person responsible for delivering to the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful.

If you have received this message in error please notify SMA Financial Ltd or contact the sender. 

Finally, the recipient should check this message and any attachments for the presence of viruses. SMA Financial Ltd accepts no liability for any damage caused by any virus transmitted by this message.

http://www.sma.co.uk/email-disclaimer

More information about the Pki-users mailing list