Support for trusted_ca_keys extension during TLS handshake

Martin Paljak martin at
Wed Oct 31 16:06:43 CET 2012

On Wed, Oct 31, 2012 at 2:22 PM, David Fuhrmann
<david.fuhrmann at> wrote:
> I have the situation that an embedded system only has a limited and static
> set of CA
> certificates installed (at production time). For these CA certificates, it
> is intended that you
> can have newer ones with an overlaping validity period. So, the server needs
> to know
> which tls certificate he needs to deliver so that the embedded system can
> verify it with
> the existing CA certificate.

Does this mean that you would have two overlapping CA
keys/certificates, with the same name but different validity periods?

This sounds like a strange setup to me. Why can't the client system
differentiate the (updated) issuer itself, by changing the common name
of the new root?


More information about the Gnutls-devel mailing list