Protocol for renewing CA certs

Nikos Mavrogiannopoulos nmav at
Mon Sep 26 11:56:57 CEST 2011

On Sun, Sep 25, 2011 at 8:52 PM, Sam Varshavchik <mrsam at> wrote:

>> In gnutls 3.0.x _gnutls_verify_certificate2() will only check against the
>> latest valid issuer. Check the find_issuer() function in the same file.
> I'll look it up, but I'm also trying to work this out in my head. It seems
> to me that it shouldn't be merely the latest valid issuer, but rather a
> strict match against the activation and expiration time range, so that a
> certificate should get checked against a CA cert whose activation/expiration
> time includes the certificate's expiration time. That's because new CA certs
> must be distributed in advance of the expiration of existing CA certs, so
> there would be a transition period where both certs are placed in trusted
> chains, and existing certs won't validate, of course, against the new cert.

I don't understand why is that. If the latest valid CA is found (valid
according to activation and expiration time) why wouldn't it be used,
and check using a relative time to the certificate? Do you expect a
new CA to change their private and public key pair?

> I don't know if this is exactly what the CAs do, or whether they activate
> new CA certs in advance of the existing CA cert's expiration, and sign new
> certs using the new CA cert. If they do that, then it seems to me that even
> the logic of using just the latest CA cert wouldn't work, because both CA
> certs will overlap, and certs signed by the expiring CA cert won't validate
> against the new CA cert.

I suppose you assume that a new CA certificate would also replace the
private and public key pair. I'd expect in that case for their DN to
also be changed. Otherwise the DN would not be sufficient to determine
the signer certificate.

> Also, is it only the cert's activation time must fall within the
> activation/expiration time of the signing cert?

We don't do strict matching of that. We only make sure that both
certificates are activated at the time of checking. According to PKIX
the "basic" algorithm for certificate validation is that:


More information about the Gnutls-help mailing list