Re: [PLUG] Migrating and updating a CA

[Michael Leone <turgon@mike-leone.com>]

On Tue, May 2, 2017 at 1:09 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
> On 05/02/2017 01:00 PM, Michael Leone wrote:
>> So: how do I migrate over my configured CA from the old VM to a new VM?
>
> just rsync? it depends where on the filesystem it is, but if you're
> using just plain ol' openssl and a custom openssl.cnf, that dir should
> be all you need. by the way, it's advised that if you're relying on

Ah. Good. Yes, just a custom openssl.cnf.

>> But what of the CA cert? How can I re-issue that, while still
>> maintaining backward compatability with my existing certs?
>
> this is precisely why root CA's use intermediary certs. if you were,
> this'd be a lot easier. as it stands, i'm assuming you've imported the
> CA system-wide on client systems. the only way forward, if you want your
> CA cert to be sha256, is to import the new CA cert and remove the old CA
> cert on each client.

That's OK. We're a Windows shop; I pushed the old cert using Group
Policy; I can just remove the old one; wait a day or so for all
clients to check in with Group Policy, so the old one is removed; then
push the new one, the same way. Group Policy is a great way to enforce
your will on Windows machines. LOL

So what do I do? Change the default_md to sha256; request a new cert
for the CA on the old VM; sign it (sign from the old one, but with the
new option); take the resulting new cert over to the new VM, and use
*that* as the new CA cert, and issue from there, from now on?
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug