Thanks Buchan but :
I've made the following tests :
My current root CA : cacert.pem
My current server certificates: certificate_server.pem and
With these files, communication between clients and server is OK
I create a new CA: cacert2.pem
and the new server certificates: certificate2_server.pem and
With these certificates, communication between client and server is OK
my last test is :
cacert.pem + cacert2.pem in the cacert3.pem file (this file is copied on the
ldap server and each client)
certificate_server.pem + certificate2_server.pem in the
certificate_server_private.pem + certificate2_server_private.pem in the
Before expiration time of cacert.pem, communication between client and
server is OK
After expiration time of cacert.pem, communication between client and server
is NOK !
2010/2/12 Buchan Milne <bgmilne(a)staff.telkomsa.net>
On Thursday, 11 February 2010 12:18:37 Philippe Bloix wrote:
> My root CA will expire soon. What is the best method to avoid break
> ldap server and ldap client communication?
> If i create a new root CA, then i will have to copy this new root CA on
> each ldap client (several hundred). In this case, is it possible to
> from the old root CA to the new root CA without a break between server
> client? How?
You should be able to deploy a new CA certificate file that contains both
certificates. As long as you deploy the combined CA cert file before you
new certs, and replace all the client or server certificates before the old
expires, you should have no interruption of service.