Re: [certtest] New release certification test application
To: Peter Tavenier <Peter.Tavenier@localhost
From: Tim Bruijnzeels tim@localhost
Date: Thu, 04 Sep 2008 12:08:39 +0200
Hi Peter, list,
Peter Tavenier wrote:
-----BEGIN PGP SIGNED MESSAGE-----
our key at certtest@localhost. is in status MAINTENANCE.
What does this mean?
Ok, I should have mentioned this to the list probably...
We have done some work on key life cycle management already.
A key pair can have the following statuses:
3- REVOKED (not yet implemented)
4- EXPIRED (not yet implemented)
We meant to make sure that your most recent key pair got the status
'ACTIVE' after the upgrade, but unfortunately I made a mistake and this
didn't work.. sorry guys. See below on how to get a new active key.
A key pair has just been generated. But it's not in use: there is no
resource certificate associated with it.
A resource certificate has been requested for the keypair. This
certificate will be your CA's _active_ certificate and it will be used
for all new signing reuqests.
So in answer to why you can't create ROAs right now, you need to go to
the 'My Keys page' and:
a) generate a new key pair.
b) request a certificate for it.
Then you can go the My ROAs page and create a new ROA.
When a new key pair & certificate becomes 'active' the previous active
key will become 'maintenance'. This means that the certificate is kept
around so that objects that were signed with it (e.g. old ROAs) remain
valid. Also it's necessary to keep it around so Certificate Revocation
Lists (CRLs) may be generated.
3-REVOKED (not yet implemented):
In the future we will introduce the possibility to revoke a keypair. The
system will then revoke all certificates asociated with this key
invalidating everything that was signed with this key. More information
on this will follow in a future release.
4-EXPIRED (not yet implemented):
When all objects that were signed with a key are expired we can
essentially consider the key as being expired. It can be retired because
there is no need anymore to maintain a CRL.
Note that right now the system allows you to request new certificates
and updates on a per key basis. In the next release we will simplify
this so you don't have to update all keys individually.
Sorry for the confusion and the migration mishap,
t: +31 20 535 4309