[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protocol for renewing CA certs
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Protocol for renewing CA certs |
Date: |
Sun, 25 Sep 2011 18:03:27 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Icedove/3.1.13 |
On 09/24/2011 05:14 PM, Sam Varshavchik wrote:
A logistical question occured to me, while I was browsing through the
code that verifies certificates.
_gnutls_verify_certificate2() locates a certificate's signing CA by
invoking find_issuer(), which searches the list of trusted CAs. The
search simply compares each CA's entire DN against the certificate's
issuer's DN.
Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
cert, and if it doesn't work it does not look for any other DNs that match.
In gnutls 3.0.x _gnutls_verify_certificate2() will only check against
the latest valid issuer. Check the find_issuer() function in the same file.
When a particular's CA cert's expiration time approaches, naturally the
CA would generate a new cert and begin signing new certificates using
its new cert. But because there are still valid certificates signed by
the expiring certs, both the old and the new certs must be on the
trusted list, until the old cert expires.
So, that means that the new cert must have a different DN?
No. I'd expect it to have the same DN.
regards,
Nikos