Protocol for renewing CA certs

Sam Varshavchik mrsam at
Sat Sep 24 17:14:32 CEST 2011

A logistical question occured to me, while I was browsing through the code  
that verifies certificates.

_gnutls_verify_certificate2() locates a certificate's signing CA by invoking  
find_issuer(), which searches the list of trusted CAs. The search simply  
compares each CA's entire DN against the certificate's issuer's DN.

Once a matching DN is found, _gnutls_verify_certificate2() tries that CA  
cert, and if it doesn't work it does not look for any other DNs that match.

When a particular's CA cert's expiration time approaches, naturally the CA  
would generate a new cert and begin signing new certificates using its new  
cert. But because there are still valid certificates signed by the expiring  
certs, both the old and the new certs must be on the trusted list, until the  
old cert expires.

So, that means that the new cert must have a different DN? I originally  
thought that it's sufficient to generate a new cert with the same DN, and a  
new expiration, but this doesn't seem to be the case, and the new cert has  
to have a different DN, correct?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110924/af1404b2/attachment.pgp>

More information about the Gnutls-help mailing list