Protocol for renewing CA certs
nmav at gnutls.org
Sun Sep 25 18:03:27 CEST 2011
On 09/24/2011 05:14 PM, Sam Varshavchik wrote:
> A logistical question occured to me, while I was browsing through the
> code that verifies certificates.
> _gnutls_verify_certificate2() locates a certificate's signing CA by
> invoking find_issuer(), which searches the list of trusted CAs. The
> search simply compares each CA's entire DN against the certificate's
> issuer's DN.
> Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
> cert, and if it doesn't work it does not look for any other DNs that match.
In gnutls 3.0.x _gnutls_verify_certificate2() will only check against
the latest valid issuer. Check the find_issuer() function in the same file.
> When a particular's CA cert's expiration time approaches, naturally the
> CA would generate a new cert and begin signing new certificates using
> its new cert. But because there are still valid certificates signed by
> the expiring certs, both the old and the new certs must be on the
> trusted list, until the old cert expires.
> So, that means that the new cert must have a different DN?
No. I'd expect it to have the same DN.
More information about the Gnutls-help