Recent Features
| |||||||||||||
Replacing an expired certificate with a new oneReplacing an expired certificate with a new onePosted Mar 31, 2011 13:43 UTC (Thu) by epa (subscriber, #39769)In reply to: Replacing an expired certificate with a new one by erwbgy Parent article: Fallout from the fraudulent SSL certificates
Yes, I'm a bit shaky on the terminology here and I thought somebody might spot that.
So, a certificate is a signed public key. That public key has a corresponding private key. Use the old private key to sign the new certificate. Then somebody who has your old public key (given by the old certificate) can use it to verify the new certificate. Even if the old certificate is expired, you can still use it for the limited task of checking the new one (or better, the cert should have two expiry dates, one for general use, and a longer one just for validating its successor).
This makes sure that whoever has the new keypair, identified by the new certificate, also has the old keypair. In other words it provides some measure of making sure the same person or entity controls the new private key as the old. If, additionally, the old certificate is near or past its expiry date, and the new certificate is signed by one or more CAs that you trust, then you have a reasonable certainty that the new cert is genuine. This is better than relying on CAs alone.
(Log in to post comments)
Replacing an expired certificate with a new one Posted Apr 1, 2011 13:29 UTC (Fri) by knobunc (subscriber, #4678) [Link]
It is a good idea, but it only helps you if you have the old public key. It certainly adds another layer of trust that Certificate Patrol can make use of.
|
|||||||||||||