I am implementing our project specific Certification Authority (CA). I have meet with a case like renewing CA's certificate.
The problem is, We have very big system, and we are giving the Certs to Multiple components (we issues certs to thousands of entities). So if we revoke the old cert directly at the time of renewing it is causing security issues. For this we are following the process like, We just add a new certificate to out CA, and we will renew the certs of all the entity certs those were issued by the CA.
This process is working fine, but I have meet with small problem in publishing the CRL(As CRL is signed by the CA's certificate).
If we sign with the old Cert of CA, then already renewed entities are facing security issues, If we sign with the new cert of CA, then the entities with old certs are facing security issues.
Renewal process of CA in my system will take a period of time. In this case, I am proposing to publish 2 CRL's to the renewed CA.
But I am not sure that one can publish 2 CRL's for the same CA.
Please comment on above statement.
