How to rotate cert when only first matching cert been verified

定平袁 pkudingping at gmail.com
Sun Dec 20 01:02:38 UTC 2020


the exact behavior:

When looking up CA certificates, the OpenSSL library will first search the
certificates in *CAfile*, then those in *CApath*. Certificate matching is
done based on the subject name, the key identifier (if present), and the
serial number as taken from the certificate to be verified. If these data
do not match, the next certificate will be tried. If a first certificate
matching the parameters is found, the verification process will be
performed; no other certificates for the same parameters will be searched
in case of failure.

why no other certificates for the same parameters will be searched?

定平袁 <pkudingping at gmail.com> 于2020年12月20日周日 上午8:59写道:

> Hello everyone,
>
> Recently I am trying to rotate a cert, and the client uses python requests
> lib, which leverages openssl. Here is my steps:
>
> 1. Generate a new cert, and append it to the cert file(at this point,
> there are 2 certs in the file, first is old cert, second is new, they have
> the same Subject), restart client side process, (no problem here, because
> first cert matching server side cert, and it verifies successfully)
> 2. Replace server side with new cert.
>
> As soon as I issue step #2, the client side process starts to show error “certificate
> verify failed”. This would cause downtime to my apps. I am new to this,
> not sure if there is anything wrong regarding my usage or understanding.
> But I found this page
> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html,
> it says the exact behavior like my test:
>
> If several CA certificates matching the name, key identifier, and serial
> number condition are available, only the first one will be examined. This
> may lead to unexpected results if the same CA certificate is available with
> different expiration dates. If a "certificate expired" verification error
> occurs, no other certificate will be searched. Make sure to not have
> expired certificates mixed with valid ones.
>
> So I am wondering how to rotate cert in such a case? It would be very
> helpful if anyone could help on this. Thanks.
>
> BTW, I tested the same cert file with CURL (compiled with gnutls), it
> works fine.
>
> Regards
> Dingping
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201220/3f45054b/attachment.html>


More information about the openssl-users mailing list