Support for trusted_ca_keys extension during TLS handshake
martin at martinpaljak.net
Wed Oct 31 16:06:43 CET 2012
On Wed, Oct 31, 2012 at 2:22 PM, David Fuhrmann
<david.fuhrmann at googlemail.com> wrote:
> I have the situation that an embedded system only has a limited and static
> set of CA
> certificates installed (at production time). For these CA certificates, it
> is intended that you
> can have newer ones with an overlaping validity period. So, the server needs
> to know
> which tls certificate he needs to deliver so that the embedded system can
> verify it with
> the existing CA certificate.
Does this mean that you would have two overlapping CA
keys/certificates, with the same name but different validity periods?
This sounds like a strange setup to me. Why can't the client system
differentiate the (updated) issuer itself, by changing the common name
of the new root?
More information about the Gnutls-devel