Replies: 1 comment 11 replies
-
|
It’s not a warning that something in EJBCA will not work. It’s merely an advice that simply rekeying a CA is not considered the best practice as it complicates path building and root anchor management on your clients. If you are sure it works among your relying parties, by all means go ahead, but if someone asks for the best practice it is a new CA rollover compared to a rekeying. |
Beta Was this translation helpful? Give feedback.
-
|
That is not a renewal, that doesn't do anything but change CRL issue stuff. To re-key and renew a CA you have to click the "Renew CA" button. |
Beta Was this translation helpful? Give feedback.
-
|
Do I understand correctly that changing these fields and hit "Save" does not change the CA serial and start and end dates? In my case, the CA has a new serial and start and end dates. Would a database query provide any clarity and what might that query look like? |
Beta Was this translation helpful? Give feedback.
-
|
Correct. Editing those fields and clicking save will not create a new CA certificate. If there is one, someone have clicked the "Renew CA button" at some time. The audit log should say who and when, and the CA certificate notBefore date will tell you when as well of course. |
Beta Was this translation helpful? Give feedback.
-
|
@primetomas But how to solve the problem that the CA chain downloaded via the EJBCA Admin UI is correct, meaning the latest version of a specific CA is used, but through the EJBC WS the CA chain with the previous version is returned? Also, which database tables should be looked at for such a problem? |
Beta Was this translation helpful? Give feedback.
-
|
That looks like a potential bug in the code I linked to here #850 (reply in thread), if the CA has been renewed. Can you create a new Issue for that? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi!
I am experiencing issues with re-keying a CA in EJBCA while using the same Distinguished Name (DN). According to the EJBCA documentation, it is recommended to create a new Root CA instead of re-keying an existing one. The warning states:
Consider creating a new Root CA instead of re-keying an existing one. Having multiple Root CA certificates with different keys but using the same subject DN may lead to complicated and unexpected issues and behavior.CA re-keying was done years ago, and the issue has only surfaced this week. Creating a new CA is not an option for me at this point.
I am seeking guidance on how to resolve these issues. When possible, please describe how to fix this on the DB side.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions