CA Certs are not valid for eternity. While preparing for upgrading the Cert, there is a period where both the old and new certificates need to be present in the client certificate databases. Cert monger needs to be an active particiapnt in the roll over process.
A large part of solving this is on the CA side.
Certmonger is going to need to know how to Poll the CAs in order get a list of the active CA certs.
Certmonger will need to know the approach for updating NSS, OpenSSL Directory and, potentially, PEM File based certificates.
New milestone was created for milestone-less tickets.
Metadata Update from @mkosek:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
to comment on this ticket.