Protocol for renewing CA certs

Sam Varshavchik mrsam at
Sun Sep 25 20:52:24 CEST 2011

Nikos Mavrogiannopoulos writes:

> On 09/24/2011 05:14 PM, Sam Varshavchik wrote:
>> A logistical question occured to me, while I was browsing through the
>> code that verifies certificates.
>> _gnutls_verify_certificate2() locates a certificate's signing CA by
>> invoking find_issuer(), which searches the list of trusted CAs. The
>> search simply compares each CA's entire DN against the certificate's
>> issuer's DN.
>> Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
>> cert, and if it doesn't work it does not look for any other DNs that match.
> In gnutls 3.0.x _gnutls_verify_certificate2() will only check against the  
> latest valid issuer. Check the find_issuer() function in the same file.

I'll look it up, but I'm also trying to work this out in my head. It seems  
to me that it shouldn't be merely the latest valid issuer, but rather a  
strict match against the activation and expiration time range, so that a  
certificate should get checked against a CA cert whose activation/expiration  
time includes the certificate's expiration time. That's because new CA certs  
must be distributed in advance of the expiration of existing CA certs, so  
there would be a transition period where both certs are placed in trusted  
chains, and existing certs won't validate, of course, against the new cert.  
Additionally, for this to work, I think that the CAs must generate new certs  
whose activation time is specified to be exactly the expiration time of the  
expiring cert, and continue to sign certificates with the expiring cert up  
until it actually expires, then immediately switch to the new cert.

I don't know if this is exactly what the CAs do, or whether they activate  
new CA certs in advance of the existing CA cert's expiration, and sign new  
certs using the new CA cert. If they do that, then it seems to me that even  
the logic of using just the latest CA cert wouldn't work, because both CA  
certs will overlap, and certs signed by the expiring CA cert won't validate  
against the new CA cert.

Also, is it only the cert's activation time must fall within the  
activation/expiration time of the signing cert? Or that both activation and  
expiration time of a cert must fall within the signing cert's range? Because  
if clients validate the entire cert's activation/expiration range against  
the signing cert's range, CAs would be forced to generate new certs whose  
activation/expiration range overlaps with their expiring cert, so that certs  
signed by the expiring cert remain valid, and new certs would have to be  
signed by the new CA cert, since the new certs' expiration time would fall  
outside of the expiring CA cert's.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110925/a6d44515/attachment.pgp>

More information about the Gnutls-help mailing list