The current code to manage certificate renewal is unnecessary.
A certificate renewal is simple:
revoke foo: Revoke the current certificate.
sign-req bar foo: Re-sign the original request.
All that is required is to keep the original request in the pki/reqs folder when revoking the old certificate.
The only problem is that the old certificate must be revoked before the new certificate can be signed and distributed.
This can be worked around by not updating the certificate revocation list until the new certificate has been deployed. Not ideal.
However, there is another approach:
New command expire $name - Move the old/expired certificate out of the way, so that a new certificate can be signed, without the need to revoke the old certificate.
Once expired, there is little reason to formally revoke a certificate. However, revoke-renewed can be repurposed (eg. revoke-expired) for such an eventuality.
TinCanTech
commented
4 months ago
Redirect
renewto the correct procedure.The current code to manage certificate renewal is unnecessary.
A certificate renewal is simple:
revoke foo: Revoke the current certificate.sign-req bar foo: Re-sign the original request.All that is required is to keep the original request in the
pki/reqsfolder when revoking the old certificate.The only problem is that the old certificate must be revoked before the new certificate can be signed and distributed.
This can be worked around by not updating the certificate revocation list until the new certificate has been deployed. Not ideal.
However, there is another approach:
expire $name- Move the old/expired certificate out of the way, so that a new certificate can be signed, without the need torevokethe old certificate.Once expired, there is little reason to formally
revokea certificate. However,revoke-renewedcan be repurposed (eg.revoke-expired) for such an eventuality.