Hi Glenn,
> Can someone enlighten me as to the whether it is necessary for a CA to
> revoke an existing host certificate when issuing a new cert for that
> host.
>
> We recently ran into trouble when our CA issued new certs for our hosts.
> The old certs would have expired within 20 days. Due to delays in
> notification we had not deployed the new certs when the old certs
> started appearing in the updated crls at sites across the grid.
>
> Our CA tells us they have to revoke the old certs when issuing the new
> certs. This seems a difficult requirement for sites trying to maintain a
> production service without 24/7 operations.
some issues have been discussed in previous thread, and is exactly the
same concerns in our site before that we're not able to apply the changes
in time if not able to apply the rekey hostcert in time and ca already
publishing new crl to the world.
ideally and also compliant to the signing policy, the crl expect to
updated immediately after every revocation. while we ask to provide extra
option for rekey request that we admin able to pick up perferable time
when the new certificate able to issue, of course under the valid lifetime
of users' or host's certificates, that we're able to apply the hostcert in
time if new crl have been publishing on ca web right after old
host/usercert have been revoked.
alternatively, we ask for couple of hours delay publishign the crl that
we're able to apply the hostcert in time. presuming latency between each
fetch crl access is around 4-6hr that we might be able to avoid the
authentication error due to the expired hostcert after remote sites reload
the new crl publishing from ca web. of course, the delay shall subject to
same business day to avoid confliction of security policy.
others may have other comment relate to same issue, that expect to be
encountered often when applying rekey request from ca root.
fortunately, before Jun 2008 this year, we have two ca root online that
able to switch issuing the hostcert with new production ca root, that we
could let the old certificate expired naturally.
Br,
J
|