Protocol for renewing CA certs
Sam Varshavchik
mrsam at courier-mta.com
Sat Sep 24 17:14:32 CEST 2011
A logistical question occured to me, while I was browsing through the code
that verifies certificates.
_gnutls_verify_certificate2() locates a certificate's signing CA by invoking
find_issuer(), which searches the list of trusted CAs. The search simply
compares each CA's entire DN against the certificate's issuer's DN.
Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
cert, and if it doesn't work it does not look for any other DNs that match.
When a particular's CA cert's expiration time approaches, naturally the CA
would generate a new cert and begin signing new certificates using its new
cert. But because there are still valid certificates signed by the expiring
certs, both the old and the new certs must be on the trusted list, until the
old cert expires.
So, that means that the new cert must have a different DN? I originally
thought that it's sufficient to generate a new cert with the same DN, and a
new expiration, but this doesn't seem to be the case, and the new cert has
to have a different DN, correct?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110924/af1404b2/attachment.pgp>
More information about the Gnutls-help
mailing list