[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Expiration of root CA

Thanks Buchan but :
I've made the following tests :
My current root CA : cacert.pem
My current server certificates: certificate_server.pem and certificate_server_private.pem
With these files, communication between clients and server is OK
I create a new CA: cacert2.pem
and the new server certificates: certificate2_server.pem and certificate2_server_private.pem
With these certificates, communication between client and server is OK
my last test is :
cacert.pem + cacert2.pem in the cacert3.pem file (this file is copied on the ldap server and each client)
certificate_server.pem + certificate2_server.pem in the certificate3_server.pem file
certificate_server_private.pem + certificate2_server_private.pem in the certificate3_server_private.pem
Before expiration time of cacert.pem, communication between client and server is OK
After expiration time of cacert.pem, communication between client and server is NOK !
What's wrong?

2010/2/12 Buchan Milne <bgmilne@staff.telkomsa.net>
On Thursday, 11 February 2010 12:18:37 Philippe Bloix wrote:
> Hi,
> My root CA will expire soon. What is the best method to avoid break between
> ldap server and ldap client communication?
> If i create a new root CA, then i will have to copy this new root CA on
>  each ldap client (several hundred). In this case, is it possible to switch
>  from the old root CA to the new root CA without a break between server and
>  client? How?

You should be able to deploy a new CA certificate file that contains both CA
certificates. As long as you deploy the combined CA cert file before you issue
new certs, and replace all the client or server certificates before the old CA
expires, you should have no interruption of service.