|
From: | Sam Varshavchik |
Subject: | Protocol for renewing CA certs |
Date: | Sat, 24 Sep 2011 11:14:32 -0400 |
_gnutls_verify_certificate2() locates a certificate's signing CA by invoking find_issuer(), which searches the list of trusted CAs. The search simply compares each CA's entire DN against the certificate's issuer's DN.
Once a matching DN is found, _gnutls_verify_certificate2() tries that CA cert, and if it doesn't work it does not look for any other DNs that match.
When a particular's CA cert's expiration time approaches, naturally the CA would generate a new cert and begin signing new certificates using its new cert. But because there are still valid certificates signed by the expiring certs, both the old and the new certs must be on the trusted list, until the old cert expires.
So, that means that the new cert must have a different DN? I originally thought that it's sufficient to generate a new cert with the same DN, and a new expiration, but this doesn't seem to be the case, and the new cert has to have a different DN, correct?
pgp0VsrlE0TXl.pgp
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |