|

Computer Security

»

Encryption and Cryptography

»

»

[Important] - Change of CA private key | use of 2 private keys at same time?

View: New views

6 Messages — Rating Filter: Alert me

	[Important] - Change of CA private key \| use of 2 private keys at same time? by Yildirim Zaynal :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Dear all, Current situation; OpenCA version 0.9.2.5 CA: using private key of 4096 bits.. Issue: Some applications doesnt support 4096 bit keylenghts => want to sign certificates with 2048 bit CA key. Question: I dont want to install another openCA server, and i want to use the same database for the certificates so that everything is more clean an consistent. Is it possible to change the CA ( the public key & private key ) without any problems? Or is it possible to have 2 private keys and choose which one to sign with using openCA? Any comments/ideas are welcome. Kind regards, ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users
	Re: [Important] - Change of CA private key \| use of 2 private keys at same time? by Dominique LOHEZ :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yildirim Zaynal a e'crit : > Dear all, > > Current situation; > OpenCA version 0.9.2.5 > CA: using private key of 4096 bits.. > > Issue: Some applications doesnt support 4096 bit keylenghts => want to > sign certificates with 2048 bit CA key. > > Question: I dont want to install another openCA server, and i want to > use the same database for the certificates so that everything is more > clean an consistent. Is it possible to change the CA ( the public key > & private key ) without any problems? > The Certification Authority is the central pole of stability of any Public Key infrastructure So it cannot be changed Neither the public and private key can be changed Even the self-signed certificate must be issued for the expected duration of the installation So the only way to get the change you want is to erase the existing CA and build a new one from the scratch. The solution is very severe !!! In addition care must taken to how to deal with the already issued certificate As an alternative you may imagine to create on the same a new sub-ca with a key of the right key length However since the sub-ca certificate must be signed by the root ca the problem of key length then arise when checking the sub-ca certificate IMHO you should check very carefully if yours applications cannot be parametrized so as it recognize the existing key I hope this helps Dominique > Or is it possible to have 2 private keys and choose which one to sign > with using openCA? > > Any comments/ideas are welcome. > > Kind regards, > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Openca-Users mailing list > Openca-Users@... > https://lists.sourceforge.net/lists/listinfo/openca-users > > > -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: Dominique.Lohez@... ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users
	Re: [Important] - Change of CA private key \| use of 2 private keys at same time? by blainedw :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Not possible to my knowledge. This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users
	Re: [Important] - Change of CA private key \| use of 2 private keys at same time? by Massimiliano Pala-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, that is really the first time I hear a limitation on the public key inside CA's certificates. Usually some applications do not work well trying to use longer key sizes (eg., crypto export issues, etc.) but usually they are able to correctly parse and verify certificates no matter what the key sizes in them. Are those ad-hoc apps or are them publicly available ? If so, can you tell me which ones are them (so I will always avoid to use them!) ? Back to your problem, if it is related to the End Entity (application/ user) certificate, than just allow only smaller sizes keysizes when issuing certificates. If, instead, the problem is with the keysize of the CA's key than you will have to re-generate the key and self-sign the certificate again. The option of rolling over with a sub-ca is not an option as the certificate chain will always chain back to your original 4096bit CA. You can still use the database from the old CA and use that for an automated roll-over of the issued certificates (early renewal), but that would require some coding - especially with the old 0.9.2 version... Probably this is not the answer you wanted.. :( I would suggest you to double check that the app issue is with the verification of the certs chain and not only with the size of the key they are using.. besides that, I do not have another suggestion right now... Let us know if/how you solve your issue.. it might be useful to others. Later, Max P.S.: If you have control over the code in your apps, you might decide to change the approach and fix the errors in those applications instead of re-issuing all the certificates. On 10/6/09 6:10 AM, Yildirim Zaynal wrote: > Dear all, > > Current situation; > OpenCA version 0.9.2.5 > CA: using private key of 4096 bits.. > > Issue: Some applications doesnt support 4096 bit keylenghts => want to > sign certificates with 2048 bit CA key. > > Question: I dont want to install another openCA server, and i want to > use the same database for the certificates so that everything is more > clean an consistent. Is it possible to change the CA ( the public key > & private key ) without any problems? > > Or is it possible to have 2 private keys and choose which one to sign > with using openCA? > > Any comments/ideas are welcome. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] openca@... project.manager@... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users smime.p7s (4K) Download Attachment
	Re: [Important] - Change of CA private key \| use of 2 private keys at same time? by blainedw :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message One specific one that I know of is Cisco VPN concentrators. All keysizes in the entire chain must be 2048 or less. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users
	Re: [Important] - Change of CA private key \| use of 2 private keys at same time? by Yildirim Zaynal :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all, Thank you very much for all of your answers. It helps to get different opinions and views.. The applications are really not standard applications, some are publically available but they are quite old versions, so you dont have the same problem with the newer versions. Upgrade of these apps would be best solution, but this costs money, time and requires approval... ==> not gonna happen :-). My other question would be the rekeying. How would i proceed then if i want to change the CA to a new one because it will expire soon? Any guides on howto rekey the CA in openCA would greatly be appreciated. Rekeying and CA rollover is the same thing right?? Kind regards, 2009/10/7 <blainedw@...>: > > One specific one that I know of is Cisco VPN concentrators. All keysizes in > the entire chain must be 2048 or less. > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Openca-Users mailing list > Openca-Users@... > https://lists.sourceforge.net/lists/listinfo/openca-users > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Openca-Users mailing list Openca-Users@... https://lists.sourceforge.net/lists/listinfo/openca-users