[prev in list] [next in list] [prev in thread] [next in thread]
List: openvpn-users
Subject: Re: [Openvpn-users] [ext] Re: CA migration?
From: Selva Nair <selva.nair () gmail ! com>
Date: 2021-07-23 1:38:10
Message-ID: CAKuzo_hBpbkr7-XJ08T2tKCPkYYOtAbT4dW=HjZVd9HR7ykqwg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi
On Thu, Jul 22, 2021 at 9:10 PM Joe Patterson <j.m.patterson@gmail.com>
wrote:
> Or, make a new ca.crt file with both the old and new ca certs, no
> cross-signing required. Deploy to server, then to clients, so that
> both server and clients trust both CA's. Then update the client certs
> one by one to the new CA. Then update the server cert to the new CA.
> Then deploy a ca.crt with only the new CA cert.
>
This requires two rounds of client updates. But simpler than cross-signing.
Selva
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi</div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Jul 22, 2021 at 9:10 PM Joe Patterson <<a \
href="mailto:j.m.patterson@gmail.com">j.m.patterson@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Or, make a new ca.crt \
file with both the old and new ca certs, no<br> cross-signing required. Deploy to \
server, then to clients, so that<br> both server and clients trust both CA's. \
Then update the client certs<br> one by one to the new CA. Then update the server \
cert to the new CA.<br> Then deploy a ca.crt with only the new CA \
cert.<br></blockquote><div><br></div><div>This requires two rounds of client \
updates. But simpler than \
cross-signing.</div><div><br></div><div>Selva</div></div></div>
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic