[openssl-users] Trusting certificates with the same subject name and overlapping validity periods

Viktor Dukhovni openssl-users at dukhovni.org
Wed Sep 20 21:25:18 UTC 2017


> On Sep 20, 2017, at 12:33 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
> 
> Q:  Does OpenSSL's trust-list verification support trusting multiple certificates with the same subject name and overlapping validity periods?
> 
> In more detail:
> 
> We have customers who issue replacement certificates with the same subject name and different validity periods.  We'd like to be able to straightforwardly add the new certificates to the trust list and have them work, but seem to find that certificate verification doesn't handle the case.  (Mozilla NSS does seem to handle it.)

Generally speaking, if the latest certificate has the same key, then
it should cover the older ones, which can be dropped from the trust list.

If, however, the newer certificates have a different key, then everything
should work, provided the certificates issued under the new key carry
an "authority key identifier" extension, which matches the corresponding
"subject key identifier" in the issuer CA certificate.

The above also works with "authorityCertSerialNumber", see

   https://tools.ietf.org/html/rfc5280#section-4.2.1.1

If, however, the newer certificate has a different key, and the same
subject DN, but does not place matching distinct subject key identifiers
in the certificates it issues, then OpenSSL will not correctly handle
multiple candidate issuers that differ in the public key, but provide
no hints in the issued certificates which issuer to use.

-- 
	Viktor.



More information about the openssl-users mailing list