and continue to use unexpired certificate/key pairs signed by the expired CA certificate. I did some research and found "openssl x509 -in ca.crt -days 3650 -out new-ca.crt -signkey ca.key" which seems to work but want to make sure there aren't any less-than-obvious issues i missed and that there isn't a better way to address the issue. Thanks for your help.
