[clug] Certificate authority re-signing

Brendan Jurd direvus at gmail.com
Tue Jan 18 19:12:06 MST 2011


On 19 January 2011 12:37, Paul Wayper <paulway at mabula.net> wrote:
>  Is there any point in keeping old certificate signing requests about
> for the situation where we have a disaster with the old CA and have to
> resign everything with a new CA? Can we generate new certificates
> based purely on the PEM info of the old certificates? Or does the
> question make no sense?

My understanding is that a CSR is always generated from a private key,
so unless you have access to the private keys of all your client certs
you will not be able to produce new CSRs to be signed by your new CA.

If you really are concerned about possibly having to re-sign as a new
CA (although this seems like a bizarre scenario), you probably do want
to retain those CSRs.  The only other option is to have the owners of
your client certs submit new CSRs.

Cheers,
BJ


More information about the linux mailing list