How to change root CA certificate?
I am running an own CA for my network, just to have it installed into the browser, so that I can see if a server still has the certificate I created (vulgar: having the green lock).
Of course I just had to revoke all my certs after updating OpenSSL and to be completely paranoid, I also want to revoke my root certificate. The question is: how am I doing this without creating a totally new CA? Is this even possible to create a new certificate for my CA?
Solution 1:
You can't do this, but there is no reason to. Unless you, for some strange reason, also used the CA certificate and key as an actual service-authorising certificate, on a machine exposed to the internet, on a service that supported TLS, it is not likely to have been compromised.
You will notice that, in the mad flurry of updates post-heartbleed, one thing we haven't seen is all the big certification agencies revoking their roots, and publishing new ones.
Solution 2:
Normally you shall not keep your top root certificate on a machine that is online. You shall have a root certificate that is kept totally offline (like on an USB stick or 2) and have intermediate certificates that you use to sign your various others. This way, in case of a more serious security breach, you can revoke some or all of the intermediate CAs and issue new ones.