we have an existing internal root CA standalone that issue certificate for our domain mycompany.com. We have multiple certificate installed all over the company from this CA. The problem we're facing is that we have a cisco VPN that need to trust this CA for mobile device VPN but return an error as the expiration date of the root CA goes beyond year 2038 and doesn't accept it. Now question is how to go around this? If I renew the root CA with the same private/public key and expiration date before year 2038, will I need to renew the certificate already issued by this CA ? Second option we are looking at is to install a subordinate issuing CA, in this case the question is will this CA be able to issue cert for the domain name mycompany.com ? Any suggestion on how to get out of this mess from PKI expert would be appreciated.
Asked
Active
Viewed 163 times
1 Answers
1
Regarding your first answer I am always wondering this myself. I would test this very specific scenrio in your lab! I think it should be possible to renew the certificate with the same keys but another expiration date.
Regarding the issuing (online) CA. Your cisco VPN should verify the trust chain up to the root CA and then again complain about the validity period of the root CA.
Thus you either need to renew the root CA with the same keys and a shorter validity period OR you need to setup a second CA.
cornelinux
- 229
- 1
- 7
-
I guess I will have to setup VMs in lab and and test it out. Didn't think about the chain trust going to top so ruling out option 2. – Cividan Oct 06 '14 at 15:29
-
It very much depends on the implementation on the cisco vpn. If it simply trusts an intermediate CA (which it should not in theory), then this could be a solution. But it is a bad idea in relying with your design in a hopefully faulty implemented pki enabled application. – cornelinux Oct 07 '14 at 06:46