Re: Protocol for renewing CA certs

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol for renewing CA certs

From:	Nikos Mavrogiannopoulos
Subject:	Re: Protocol for renewing CA certs
Date:	Sun, 25 Sep 2011 18:03:27 +0200
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Icedove/3.1.13

On 09/24/2011 05:14 PM, Sam Varshavchik wrote:

A logistical question occured to me, while I was browsing through the
code that verifies certificates.

_gnutls_verify_certificate2() locates a certificate's signing CA by
invoking find_issuer(), which searches the list of trusted CAs. The
search simply compares each CA's entire DN against the certificate's
issuer's DN.
Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
cert, and if it doesn't work it does not look for any other DNs that match.

In gnutls 3.0.x _gnutls_verify_certificate2() will only check againstthe latest valid issuer. Check the find_issuer() function in the same file.

When a particular's CA cert's expiration time approaches, naturally the
CA would generate a new cert and begin signing new certificates using
its new cert. But because there are still valid certificates signed by
the expiring certs, both the old and the new certs must be on the
trusted list, until the old cert expires.
So, that means that the new cert must have a different DN?


No. I'd expect it to have the same DN.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Protocol for renewing CA certs, Sam Varshavchik, 2011/09/24
- Re: Protocol for renewing CA certs, Nikos Mavrogiannopoulos <=
  - Re: Protocol for renewing CA certs, Sam Varshavchik, 2011/09/25
    - Re: Protocol for renewing CA certs, Nikos Mavrogiannopoulos, 2011/09/26

Prev by Date: Protocol for renewing CA certs
Next by Date: Re: Protocol for renewing CA certs
Previous by thread: Protocol for renewing CA certs
Next by thread: Re: Protocol for renewing CA certs
Index(es):
- Date
- Thread