Help

Company Root CA Cert expiry

bentoms
Release Candidate Programs Tester

Posted on ‎11-02-2011 12:18 AM

Hi guys,

Our company root ca cert expires annually & is due to expire in a few weeks time.

A new cert has been generated..

So I'm wondering if all I need to do is to distribute this new cert (which is named the same as the current cert), then when the current cert expires the new one should be used.

Is it that simple?

Regards,

Ben.

0 Kudos
6 REPLIES 6

jarednichols
Honored Contributor

Posted on ‎11-02-2011 12:31 AM

If the new cert's valid from date has already passed, as soon as you install the new one it should take over. You're probably going to want to delete the existing one just to be on the safe side as you don't want two valid CA certs.

Dumb question: Why make your CA expire annually? Public CAs are good for like 20 years.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎11-02-2011 01:19 PM

Thanks!

As to the expirty It's not a dumb question at all & one I will raise. (it will probably be met with.... We've always done it this way... Or ... It's more secure..ugh..)

I just wanted to make sure that I'm prepared for the change.

Is removing the expired cert needed? Or is it a best practice thing?

Regards,

Ben.

0 Kudos

Not applicable

Posted on ‎11-02-2011 03:24 PM

Speaking of certs, what's the best way to distribute a cert to a system that hasn't had one before?

My company requires a cert in order to connect to it's internal Lync server and it would be great to package the cert along with the client install.

Thanks

-- -- -- -- -- -- -- -- -- --
Dave Simon
Director, Media Engineering and Operations

T +1.415.808.3594 | F +1.415.808.3535 | C +1.617.908.5043
600 Harrison St • San Francisco, CA • 94107

PRN | media where & when it matters

0 Kudos

bbergstein
New Contributor III

Posted on ‎11-02-2011 03:42 PM

I deploy our Communicator cert with a PKG. Basically, it drops the cert file in a given location, then uses the script (as a post-script) from the resource kit to import it. This works really nicely for us, and I have a policy set up that is triggered at the end of the office installation, so its completely automated.

--benji

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎11-02-2011 11:51 PM

Our Communicator cert was the root cert.

Our Lync cert is seperate.

But I use the resource kit script to import.

Regards,

Ben.

0 Kudos

jarednichols
Honored Contributor

Posted on ‎11-03-2011 07:29 AM

Yup. I see the policy containing two packages. One for Lync itself (and possibly 3 package actually as there's an update for Lync now) and the other for the cert file laid down in some staging area (perhaps your own /Library/Application Support/<companyname> folder). Post-install script to install the cert.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos