PKI: CA Signing Key Expiry and CRL Publication

microsoft.public.windows.server.security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject	Author	Date
PKI: CA Signing Key Expiry and CRL Publication	Dave Wø6¯ygb±Ë¬²'²hœ®‹(~×(*	07-08-2005

Posted by Dave Wø6¯ygb±Ë¬²*'²hœ®‹(~×( on July 8, 2005, 7:41 am

Please log in for more thread options

Could someone explain how a CA continues to sign a CRL for certificates that
it issued with a particular CA signing key pair, once that key pair has
expired. My understanding of the Windows CA is that the CA signing key that
was used to sign a certificate must be used to sign the CRL upon which that
certificate would "potentially" appear.

I know that a CA cannot sign certificates with a lifetime that is equal or
greater than the CA's signing key pair, but I'm considering a situation where
the CA signing key pair needs to be rekeyed due to a suspected compromise.

Regards,

Dave

Similar Threads	Posted
Specifying publication location in the certificate request	October 8, 2005, 2:03 am
Not certified for Certificate Signing	October 12, 2005, 7:48 pm
Permanently disable SMB signing	February 22, 2006, 8:09 pm
SMB signing on member server	November 26, 2007, 12:40 pm
Several questions on code signing / smartcards / Win CA	August 25, 2005, 4:24 am
Code Signing Cert not trusted?	October 19, 2007, 1:33 pm
Signing an OpenSSL CSR with Microsoft Certificate Authority	July 24, 2005, 10:33 am
Group Policy Options for Signing and Encryption	November 30, 2005, 2:28 am
Expired Code Signing Cert with VBScript	September 12, 2006, 9:17 am
Requesting Code signing cert from cert services	November 4, 2005, 12:11 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML Sitemap

XML Sitemap