Protocol for renewing CA certs

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Protocol for renewing CA certs

From:	Sam Varshavchik
Subject:	Protocol for renewing CA certs
Date:	Sat, 24 Sep 2011 11:14:32 -0400

A logistical question occured to me, while I was browsing through the codethat verifies certificates.

_gnutls_verify_certificate2() locates a certificate's signing CA by invokingfind_issuer(), which searches the list of trusted CAs. The search simplycompares each CA's entire DN against the certificate's issuer's DN.

Once a matching DN is found, _gnutls_verify_certificate2() tries that CAcert, and if it doesn't work it does not look for any other DNs that match.

When a particular's CA cert's expiration time approaches, naturally the CAwould generate a new cert and begin signing new certificates using its newcert. But because there are still valid certificates signed by the expiringcerts, both the old and the new certs must be on the trusted list, until theold cert expires.

So, that means that the new cert must have a different DN? I originallythought that it's sufficient to generate a new cert with the same DN, and anew expiration, but this doesn't seem to be the case, and the new cert hasto have a different DN, correct?

pgp0VsrlE0TXl.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Protocol for renewing CA certs, Sam Varshavchik <=
- Re: Protocol for renewing CA certs, Nikos Mavrogiannopoulos, 2011/09/25
  - Re: Protocol for renewing CA certs, Sam Varshavchik, 2011/09/25
    - Re: Protocol for renewing CA certs, Nikos Mavrogiannopoulos, 2011/09/26

Prev by Date: Re: alleged attack on TLS
Next by Date: Re: Protocol for renewing CA certs
Previous by thread: compilation error
Next by thread: Re: Protocol for renewing CA certs
Index(es):
- Date
- Thread