Protocol for renewing CA certs

Nikos Mavrogiannopoulos nmav at
Sun Sep 25 18:03:27 CEST 2011

On 09/24/2011 05:14 PM, Sam Varshavchik wrote:
> A logistical question occured to me, while I was browsing through the
> code that verifies certificates.
> _gnutls_verify_certificate2() locates a certificate's signing CA by
> invoking find_issuer(), which searches the list of trusted CAs. The
> search simply compares each CA's entire DN against the certificate's
> issuer's DN.
> Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
> cert, and if it doesn't work it does not look for any other DNs that match.

In gnutls 3.0.x _gnutls_verify_certificate2() will only check against 
the latest valid issuer. Check the find_issuer() function in the same file.

> When a particular's CA cert's expiration time approaches, naturally the
> CA would generate a new cert and begin signing new certificates using
> its new cert. But because there are still valid certificates signed by
> the expiring certs, both the old and the new certs must be on the
> trusted list, until the old cert expires.
> So, that means that the new cert must have a different DN?

No. I'd expect it to have the same DN.


More information about the Gnutls-help mailing list