Thanks Buchan but :
I've made the following tests :
1) My current root CA : cacert.pem My current server certificates: certificate_server.pem and certificate_server_private.pem With these files, communication between clients and server is OK 2) I create a new CA: cacert2.pem and the new server certificates: certificate2_server.pem and certificate2_server_private.pem With these certificates, communication between client and server is OK 3) my last test is : cacert.pem + cacert2.pem in the cacert3.pem file (this file is copied on the ldap server and each client) certificate_server.pem + certificate2_server.pem in the certificate3_server.pem file certificate_server_private.pem + certificate2_server_private.pem in the certificate3_server_private.pem Before expiration time of cacert.pem, communication between client and server is OK After expiration time of cacert.pem, communication between client and server is NOK ! What's wrong?
Regards
Philippe 2010/2/12 Buchan Milne bgmilne@staff.telkomsa.net
On Thursday, 11 February 2010 12:18:37 Philippe Bloix wrote:
Hi,
My root CA will expire soon. What is the best method to avoid break
between
ldap server and ldap client communication?
If i create a new root CA, then i will have to copy this new root CA on each ldap client (several hundred). In this case, is it possible to
switch
from the old root CA to the new root CA without a break between server
and
client? How?
You should be able to deploy a new CA certificate file that contains both CA certificates. As long as you deploy the combined CA cert file before you issue new certs, and replace all the client or server certificates before the old CA expires, you should have no interruption of service.
Regards, Buchan