Re: change ca certifiactes' subject name
From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/21/05
- Next message: Paul Adare: "Re: ScSi"
- Previous message: Jan Mönnich: "change ca certifiactes' subject name"
- In reply to: Jan Mönnich: "change ca certifiactes' subject name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Sep 2005 05:45:56 -0500
In article <OyPrJhpvFHA.3124@TK2MSFTNGP12.phx.gbl>, jan.moennich@gwdg.de
says...
> hi folks,
>
> we need to renew the ca certificate and we want to change the subject
> name of the certificate at the same time. we tried to install a new
> certificate with a modified subject name. the ca displayed an error that
> the common name of the submitter does not match the name of the
> current configuration.
>
> the reason we want to do that is a planned migration from an old
> structure to a new one. is there any way to change a ca certificates'
> subject name and keeping all issued certificates?
>
> thanks!
> jan mönnich
>
No. When you renew a CA certificate you are signing the request with the
old CA certificate (thus requiring the same name)
If you want to switch names, you need to do a phased migration. You keep
the old CAs up to sign CRLs, but remove all ability to issue
certificates:
- standalone CA: ensure all requests are pended and you reject all
requests
- enterprise CA: Do not make any certificate templates available.
Deploy new CAs with the desired names and then deploy from the new CAs
all certificates
Brian
- Next message: Paul Adare: "Re: ScSi"
- Previous message: Jan Mönnich: "change ca certifiactes' subject name"
- In reply to: Jan Mönnich: "change ca certifiactes' subject name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
