Hello, I had to build a Certificate Authority (CA) server for an isolated network (I know, it seems silly). Anyway, I figured out how to create the CA service doing a self-signed certificate that will expire in 9 years, because it was a 10-year certificate of which 9 years remains available. I then created separate TLS keys and CSRs and had them signed by the CA server. The 2 certificates for the "servers" (its actually all the same 1 server with different DNS-A-Record resolvable names) worked perfectly for the past 1 year; but I was kept busy working on other tasks; so this isolated network got neglected. The two (2) certificates for the servers expired last month. I documented how to build the CA, how to create the CSRs and get them signed; but I didn't know how to write the documentation for maintaining any certificates once they expired. I want to properly, and gracefully, manage the CA server to do whatever is appropriate. I believe, but do not know for sure, that what I want to do is: 1. Revoke the expired certificates (maybe that is not necessary or appropriate?) 2. Clean up the CA database (with the openssl ca -updatedb command?) 3. Then create new server certificates for the 2 servers again. I don't want to use the same 1 certificate for 2 services, because I have one for TLS-securing the LDAP service making it an ldapS:// url, and the other is for TLS-securing the AdminConsole of the same 389-ds implementation. Please help, I don't know what terminology I am looking for to properly pursue what a Professional CA (like Verisign, or wherever) would do. Thanks, -------------------------- Warron French -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160331/150b621d/attachment-0001.html>
