I don't follow something here.
You say "if any certificate expires while the CA is down"
as if certificate expiration would occur at any time.
Certificates are usually long lived (>= 1 year) and there is
no problem in renewing early (say 1 month ahead of expiration)
so either I'm missing something or you are troubled by a failure
that could have, if properly managed, one month to be fixed ?
-Carlos
mohammed shoeb ahmed @ 9/01/2010 12:47 -0300 dixit:
> Hi Group,
>
> I am testing GET vpn with redundant KS, with single CA. My primary KS is
> also CA for the GET VPN. I am thinking if my primary KS down the CA will
> also be down if any certificate expires while the CA is down the the
> secondary KS will be of no use because client will not be able to
> authenticate through the certificates. So the best practice would be having
> redundant CA as well.
>
> I didn't see any working example configuration of redundant CA in GET VPN
> literature. I would appreciate if someone provide any example configuration
> of the redundant CA our point to any reference documents.
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Mon Jan 11 2010 - 08:46:20 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART