[openssl-users] Trusting certificates with the same subject name and overlapping validity periods
Jeffrey Walton
noloader at gmail.com
Wed Sep 20 21:58:41 UTC 2017
On Wed, Sep 20, 2017 at 5:48 PM, Jordan Brown
<openssl at jordan.maileater.net> wrote:
> ...
> The above also works with "authorityCertSerialNumber", see
>
> https://tools.ietf.org/html/rfc5280#section-4.2.1.1
>
> If, however, the newer certificate has a different key, and the same
> subject DN, but does not place matching distinct subject key identifiers
> in the certificates it issues, then OpenSSL will not correctly handle
> multiple candidate issuers that differ in the public key, but provide
> no hints in the issued certificates which issuer to use.
>
> I'm not familiar with those extensions and will need to do more research.
I believe the controlling IETF document is "Internet X.509 Public Key
Infrastructure: Certification Path Building",
https://tools.ietf.org/html/rfc4158.
Jeff
More information about the openssl-users
mailing list