Re: [certtest] New release certification test application

  • To: Peter Tavenier <Peter.Tavenier@localhost
  • From: Tim Bruijnzeels tim@localhost
  • Date: Thu, 04 Sep 2008 12:08:39 +0200

Hi Peter, list,

Peter Tavenier wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tim,

our key at certtest@localhost. is in status MAINTENANCE.
What does this mean?


Ok, I should have mentioned this to the list probably...

We have done some work on key life cycle management already.

A key pair can have the following statuses:

0- NEW
1- ACTIVE
2- MAINTENANCE
3- REVOKED (not yet implemented)
4- EXPIRED (not yet implemented)

We meant to make sure that your most recent key pair got the status 'ACTIVE' after the upgrade, but unfortunately I made a mistake and this didn't work.. sorry guys. See below on how to get a new active key.

0-NEW:

A key pair has just been generated. But it's not in use: there is no resource certificate associated with it.

1-ACTIVE:

A resource certificate has been requested for the keypair. This certificate will be your CA's _active_ certificate and it will be used for all new signing reuqests.

So in answer to why you can't create ROAs right now, you need to go to the 'My Keys page' and:
a) generate a new key pair.
b) request a certificate for it.

Then you can go the My ROAs page and create a new ROA.

2-MAINTENANCE:

When a new key pair & certificate becomes 'active' the previous active key will become 'maintenance'. This means that the certificate is kept around so that objects that were signed with it (e.g. old ROAs) remain valid. Also it's necessary to keep it around so Certificate Revocation Lists (CRLs) may be generated.

3-REVOKED (not yet implemented):

In the future we will introduce the possibility to revoke a keypair. The system will then revoke all certificates asociated with this key invalidating everything that was signed with this key. More information on this will follow in a future release.

4-EXPIRED (not yet implemented):

When all objects that were signed with a key are expired we can essentially consider the key as being expired. It can be retired because there is no need anymore to maintain a CRL.


Note that right now the system allows you to request new certificates and updates on a per key basis. In the next release we will simplify this so you don't have to update all keys individually.


Sorry for the confusion and the migration mishap,


Regards,


Tim Bruijnzeels



--
Tim Bruijnzeels
Software Engineer
RIPE NCC

t: +31 20 535 4309
e: tim@localhost