10 Jun 2008, Glenn R. Moloney wrote:
> Can someone enlighten me as to the whether it is necessary for a CA to
> revoke an existing host certificate when issuing a new cert for that
> host.
>
> We recently ran into trouble when our CA issued new certs for our hosts.
> The old certs would have expired within 20 days. Due to delays in
> notification we had not deployed the new certs when the old certs
> started appearing in the updated crls at sites across the grid.
>
> Our CA tells us they have to revoke the old certs when issuing the new
> certs. This seems a difficult requirement for sites trying to maintain a
> production service without 24/7 operations.
Indeed. This is the first time that I hear about such a requirement.
I suppose it is defensible from a purist interpretation of the rules,
but totally impracticable. CC [log in to unmask]
|