Answer the question
In order to leave comments, you need to log in
Answer the question
In order to leave comments, you need to log in
You are confusing something. If the new "root" certificate is signed with the old root certificate, then it will be a regular intermediate certificate. You won't gain anything by doing this. The validity period of issued certificates cannot be longer than the signer's certificate.
The root certificate can be reissued with the old key, then the new root certificate will have the same AKI (Authority Key Identifier) as the old one. This will allow the new root certificate to be used to sign new certificates that will be valid with the old root certificate.
Please specify what exactly do you want?
What for? The previous one expires, his signature is ignored. In addition, you issue a root CA that is trusted by default under all conditions.
Theoretically:
1. Generate a new private key
2. Create a certificate request
3. Generate a new certificate using the old certificate, the old key and the new certificate request.
Practically - I'm not sure that everything will be fine with an expired certificate.
Frankly, I did not understand the essence. :-)
Understood that you are going to create an off-line root CA. Then you create an intermediate CA signed by the root CA, and this CA will sign end device certificates. Or you just download the certificate (public key) of the intermediate CA to your devices so that they apparently verify end user certificates.
And here's what I didn't understand at all. Who should sign the certificates? Who are the certificates for? What does previous UC mean?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question