The end users should ideally not be prompted when they see a certificate renewed by the same CA. It should also ideally be a /renewal/ of the old one, and not an entirely new private key generated each time as well. Of course everything could be tuneable.
I believe these are sane defaults.
* Prompt on CA change? (Default Yes)
* Prompt on private key change? (Default No IF the cached certificate is on the old CA's revocation list.)
* Prompt on CA renewal? (Default No)
> It should also ideally be a /renewal/ of the old one, and not an entirely new private key generated each time as well
sure? A new key provides quite a bit of security benefits because even when the key got loose without you noticing, three months later, it won't be usable any more when the new cert is made for a new key.
I believe these are sane defaults.
* Prompt on CA change? (Default Yes) * Prompt on private key change? (Default No IF the cached certificate is on the old CA's revocation list.) * Prompt on CA renewal? (Default No)